changeset 5362:8fc12793ba3e

xmlrpc: process attachname in get and put Attachment similiar
author Reimar Bauer <rb.proj AT googlemail DOT com>
date Tue, 08 Dec 2009 19:11:15 +0100
parents c6fd8b7f82b4
children c3b6639e101a cbd72078ad91
files MoinMoin/xmlrpc/__init__.py
diffstat 1 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/xmlrpc/__init__.py	Tue Dec 08 18:49:05 2009 +0100
+++ b/MoinMoin/xmlrpc/__init__.py	Tue Dec 08 19:11:15 2009 +0100
@@ -19,6 +19,7 @@
 
     @copyright: 2003-2008 MoinMoin:ThomasWaldmann,
                 2004-2006 MoinMoin:AlexanderSchremmer
+                2007-2009 MoinMoin:ReimarBauer
     @license: GNU GPL, see COPYING for details
 """
 from MoinMoin.util import pysupport
@@ -962,8 +963,8 @@
         if not self.request.user.may.read(pagename):
             return self.notAllowedFault()
 
-        filename = wikiutil.taintfilename(self._instr(attachname))
-        filename = AttachFile.getFilename(self.request, pagename, filename)
+        attachname = wikiutil.taintfilename(self._instr(attachname))
+        filename = AttachFile.getFilename(self.request, pagename, attachname)
         if not os.path.isfile(filename):
             return self.noSuchPageFault()
         return self._outlob(open(filename, 'rb').read())
@@ -986,7 +987,7 @@
         if not self.request.user.may.write(pagename):
             return xmlrpclib.Fault(1, "You are not allowed to edit this page")
 
-        attachname = wikiutil.taintfilename(attachname)
+        attachname = wikiutil.taintfilename(self._instr(attachname))
         filename = AttachFile.getFilename(self.request, pagename, attachname)
         if os.path.exists(filename) and not os.path.isfile(filename):
             return self.noSuchPageFault()