merge moin/1.7
authorEugene Syromyatnikov <evgsyr@gmail.com>
Fri, 04 Jun 2010 02:04:00 +0400
changeset 5679e50b087c4572
parent 5678 4fe9951788cb
child 5680 8604ed2e370c
merge moin/1.7
Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
MoinMoin/Page.py
MoinMoin/PageGraphicalEditor.py
MoinMoin/action/CopyPage.py
MoinMoin/action/LikePages.py
MoinMoin/action/Load.py
MoinMoin/action/RenamePage.py
MoinMoin/action/anywikidraw.py
MoinMoin/action/backup.py
MoinMoin/action/chart.py
MoinMoin/action/language_setup.py
MoinMoin/action/login.py
MoinMoin/action/newaccount.py
MoinMoin/action/recoverpass.py
MoinMoin/action/userprofile.py
     1.1 --- a/MoinMoin/Page.py	Thu Jun 03 16:49:30 2010 +0400
     1.2 +++ b/MoinMoin/Page.py	Fri Jun 04 02:04:00 2010 +0400
     1.3 @@ -1056,8 +1056,8 @@
     1.4                  self.formatter.set_highlight_re(self.hilite_re)
     1.5              except re.error, err:
     1.6                  request.theme.add_msg(_('Invalid highlighting regular expression "%(regex)s": %(error)s') % {
     1.7 -                                          'regex': self.hilite_re,
     1.8 -                                          'error': str(err),
     1.9 +                                          'regex': wikiutil.escape(self.hilite_re),
    1.10 +                                          'error': wikiutil.escape(str(err)),
    1.11                                        }, "warning")
    1.12                  self.hilite_re = None
    1.13  
    1.14 @@ -1113,7 +1113,7 @@
    1.15                      request.theme.add_msg("<strong>%s</strong><br>" % (
    1.16                          _('Revision %(rev)d as of %(date)s') % {
    1.17                              'rev': self.rev,
    1.18 -                            'date': self.mtime_printable(request)
    1.19 +                            'date': wikiutil.escape(self.mtime_printable(request))
    1.20                          }), "info")
    1.21  
    1.22                  # This redirect message is very annoying.
     2.1 --- a/MoinMoin/PageGraphicalEditor.py	Thu Jun 03 16:49:30 2010 +0400
     2.2 +++ b/MoinMoin/PageGraphicalEditor.py	Fri Jun 04 02:04:00 2010 +0400
     2.3 @@ -170,14 +170,15 @@
     2.4          elif 'template' in request.values:
     2.5              # If the page does not exist, we try to get the content from the template parameter.
     2.6              template_page = wikiutil.unquoteWikiname(request.values['template'])
     2.7 +            template_page_escaped = wikiutil.escape(template_page)
     2.8              if request.user.may.read(template_page):
     2.9                  raw_body = Page(request, template_page).get_raw_body()
    2.10                  if raw_body:
    2.11 -                    request.write(_("[Content of new page loaded from %s]") % (template_page, ), '<br>')
    2.12 +                    request.write(_("[Content of new page loaded from %s]") % (template_page_escaped, ), '<br>')
    2.13                  else:
    2.14 -                    request.write(_("[Template %s not found]") % (template_page, ), '<br>')
    2.15 +                    request.write(_("[Template %s not found]") % (template_page_escaped, ), '<br>')
    2.16              else:
    2.17 -                request.write(_("[You may not read %s]") % (template_page, ), '<br>')
    2.18 +                request.write(_("[You may not read %s]") % (template_page_escaped, ), '<br>')
    2.19  
    2.20          # Make backup on previews - but not for new empty pages
    2.21          if not use_draft and preview and raw_body:
     3.1 --- a/MoinMoin/action/CopyPage.py	Thu Jun 03 16:49:30 2010 +0400
     3.2 +++ b/MoinMoin/action/CopyPage.py	Fri Jun 04 02:04:00 2010 +0400
     3.3 @@ -86,7 +86,7 @@
     3.4      def get_form_html(self, buttons_html):
     3.5          _ = self._
     3.6          if self.users_subpages:
     3.7 -            subpages = ' '.join(self.users_subpages)
     3.8 +            subpages = ' '.join([wikiutil.escape(page) for page in self.users_subpages])
     3.9  
    3.10              d = {
    3.11                  'textcha': TextCha(self.request).render(),
     4.1 --- a/MoinMoin/action/LikePages.py	Thu Jun 03 16:49:30 2010 +0400
     4.2 +++ b/MoinMoin/action/LikePages.py	Fri Jun 04 02:04:00 2010 +0400
     4.3 @@ -24,19 +24,19 @@
     4.4  
     4.5      # Error?
     4.6      if isinstance(matches, (str, unicode)):
     4.7 -        request.theme.add_msg(matches, "info")
     4.8 +        request.theme.add_msg(wikiutil.escape(matches), "info")
     4.9          Page(request, pagename).send_page()
    4.10          return
    4.11  
    4.12      # No matches
    4.13      if not matches:
    4.14 -        request.theme.add_msg(_('No pages like "%s"!') % (pagename, ), "error")
    4.15 +        request.theme.add_msg(_('No pages like "%s"!') % (wikiutil.escape(pagename), ), "error")
    4.16          Page(request, pagename).send_page()
    4.17          return
    4.18  
    4.19      # One match - display it
    4.20      if len(matches) == 1:
    4.21 -        request.theme.add_msg(_('Exactly one page like "%s" found, redirecting to page.') % (pagename, ), "info")
    4.22 +        request.theme.add_msg(_('Exactly one page like "%s" found, redirecting to page.') % (wikiutil.escape(pagename), ), "info")
    4.23          Page(request, matches.keys()[0]).send_page()
    4.24          return
    4.25  
     5.1 --- a/MoinMoin/action/Load.py	Thu Jun 03 16:49:30 2010 +0400
     5.2 +++ b/MoinMoin/action/Load.py	Fri Jun 04 02:04:00 2010 +0400
     5.3 @@ -111,7 +111,7 @@
     5.4      'upload_label_file': _('File to load page content from'),
     5.5      'upload_label_comment': _('Comment'),
     5.6      'upload_label_rename': _('Page name'),
     5.7 -    'pagename': self.pagename,
     5.8 +    'pagename': wikiutil.escape(self.pagename, quote=1),
     5.9      'buttons_html': buttons_html,
    5.10      'action_name': self.form_trigger,
    5.11      'textcha': TextCha(self.request).render(),
     6.1 --- a/MoinMoin/action/RenamePage.py	Thu Jun 03 16:49:30 2010 +0400
     6.2 +++ b/MoinMoin/action/RenamePage.py	Fri Jun 04 02:04:00 2010 +0400
     6.3 @@ -99,7 +99,7 @@
     6.4          if self.subpages:
     6.5              redirect_label = _('Create redirect for renamed page(s)?')
     6.6  
     6.7 -            subpages = ' '.join(self.subpages)
     6.8 +            subpages = ' '.join([wikiutil.escape(page) for page in self.subpages])
     6.9              subpages_html = """
    6.10                  <tr>
    6.11                  <dd>
    6.12 @@ -117,6 +117,7 @@
    6.13          else:
    6.14              redirect_label = _('Create redirect for renamed page?')
    6.15              subpages_html = ""
    6.16 +>>>>>>> other
    6.17  
    6.18          if self.show_redirect:
    6.19              redirect_html = '<tr><dd>%(redirect_label)s<input type="checkbox" name="rename_redirect" value="1" %(redirect)s></dd></tr>' % {
     7.1 --- a/MoinMoin/action/anywikidraw.py	Thu Jun 03 16:49:30 2010 +0400
     7.2 +++ b/MoinMoin/action/anywikidraw.py	Fri Jun 04 02:04:00 2010 +0400
     7.3 @@ -205,6 +205,6 @@
     7.4      else:
     7.5          msg = awd.render()
     7.6      if msg:
     7.7 -        request.theme.add_msg(msg, 'error')
     7.8 +        request.theme.add_msg(wikiutil.escape(msg), 'error')
     7.9          do_show(pagename, request)
    7.10  
     8.1 --- a/MoinMoin/action/backup.py	Thu Jun 03 16:49:30 2010 +0400
     8.2 +++ b/MoinMoin/action/backup.py	Fri Jun 04 02:04:00 2010 +0400
     8.3 @@ -80,8 +80,11 @@
     8.4      request.theme.send_footer(pagename)
     8.5      request.theme.send_closing_html()
     8.6  
     8.7 -
     8.8 +# NOTE: consider using ActionBase.render_msg instead of this function.
     8.9  def sendMsg(request, pagename, msg, msgtype):
    8.10 +    """
    8.11 +    @param msg: Message to show. Should be escaped.
    8.12 +    """
    8.13      from MoinMoin import Page
    8.14      request.theme.add_msg(msg, msgtype)
    8.15      return Page.Page(request, pagename).send_page()
    8.16 @@ -107,5 +110,4 @@
    8.17          sendBackupForm(request, pagename)
    8.18      else:
    8.19          return sendMsg(request, pagename,
    8.20 -                       msg=_('Unknown backup subaction: %s.') % dowhat, msgtype="error")
    8.21 -
    8.22 +                       msg=_('Unknown backup subaction: %s.') % wikiutil.escape(dowhat), msgtype="error")
     9.1 --- a/MoinMoin/action/chart.py	Thu Jun 03 16:49:30 2010 +0400
     9.2 +++ b/MoinMoin/action/chart.py	Fri Jun 04 02:04:00 2010 +0400
     9.3 @@ -6,6 +6,7 @@
     9.4                  2006 MoinMoin:ThomasWaldmann
     9.5      @license: GNU GPL, see COPYING for details.
     9.6  """
     9.7 +from MoinMoin import wikiutil
     9.8  from MoinMoin.util import pysupport
     9.9  
    9.10  def execute(pagename, request):
    9.11 @@ -27,7 +28,7 @@
    9.12      try:
    9.13          func = pysupport.importName("MoinMoin.stats.%s" % chart_type, 'draw')
    9.14      except (ImportError, AttributeError):
    9.15 -        request.theme.add_msg(_('Bad chart type "%s"!') % chart_type, "error")
    9.16 +        request.theme.add_msg(_('Bad chart type "%s"!') % wikiutil.escape(chart_type), "error")
    9.17          return request.page.send_page()
    9.18  
    9.19      func(pagename, request)
    10.1 --- a/MoinMoin/action/language_setup.py	Thu Jun 03 16:49:30 2010 +0400
    10.2 +++ b/MoinMoin/action/language_setup.py	Fri Jun 04 02:04:00 2010 +0400
    10.3 @@ -11,7 +11,7 @@
    10.4      @license: GNU GPL, see COPYING for details.
    10.5  """
    10.6  
    10.7 -from MoinMoin import i18n, packages
    10.8 +from MoinMoin import i18n, packages, wikiutil
    10.9  from MoinMoin.i18n import strings
   10.10  i18n.strings = strings
   10.11  
   10.12 @@ -85,7 +85,7 @@
   10.13  
   10.14      lang_selector = u''.join([fmt.paragraph(1), _("Choose:"), ' ', ' '.join(lang_links), fmt.paragraph(0)])
   10.15  
   10.16 -    title = _("Install language packs for '%s'") % (lang)
   10.17 +    title = _("Install language packs for '%s'") % wikiutil.escape(lang)
   10.18      request.theme.add_msg(msg, "info")
   10.19      request.theme.send_title(title, page=request.page, pagename=pagename)
   10.20      request.write(request.formatter.startContent("content"))
    11.1 --- a/MoinMoin/action/login.py	Thu Jun 03 16:49:30 2010 +0400
    11.2 +++ b/MoinMoin/action/login.py	Fri Jun 04 02:04:00 2010 +0400
    11.3 @@ -66,7 +66,7 @@
    11.4                  return self.handle_multistage()
    11.5              if hasattr(request, '_login_messages'):
    11.6                  for msg in request._login_messages:
    11.7 -                    request.theme.add_msg(msg, "error")
    11.8 +                    request.theme.add_msg(wikiutil.escape(msg), "error")
    11.9              return self.page.send_page()
   11.10  
   11.11          else: # show login form
    12.1 --- a/MoinMoin/action/newaccount.py	Thu Jun 03 16:49:30 2010 +0400
    12.2 +++ b/MoinMoin/action/newaccount.py	Fri Jun 04 02:04:00 2010 +0400
    12.3 @@ -59,7 +59,7 @@
    12.4      if pw_checker:
    12.5          pw_error = pw_checker(request, theuser.name, password)
    12.6          if pw_error:
    12.7 -            return _("Password not acceptable: %s") % pw_error
    12.8 +            return _("Password not acceptable: %s") % wikiutil.escape(pw_error)
    12.9  
   12.10      # Encode password
   12.11      if password and not password.startswith('{SHA}'):
   12.12 @@ -67,7 +67,7 @@
   12.13              theuser.enc_password = user.encodePassword(password)
   12.14          except UnicodeError, err:
   12.15              # Should never happen
   12.16 -            return "Can't encode password: %s" % str(err)
   12.17 +            return "Can't encode password: %s" % wikiutil.escape(str(err))
   12.18  
   12.19      # try to get the email, for new users it is required
   12.20      email = wikiutil.clean_input(form.get('email', ''))
    13.1 --- a/MoinMoin/action/recoverpass.py	Thu Jun 03 16:49:30 2010 +0400
    13.2 +++ b/MoinMoin/action/recoverpass.py	Fri Jun 04 02:04:00 2010 +0400
    13.3 @@ -175,7 +175,7 @@
    13.4              if pw_checker:
    13.5                  pw_error = pw_checker(request, name, newpass)
    13.6                  if pw_error:
    13.7 -                    msg = _("Password not acceptable: %s") % pw_error
    13.8 +                    msg = _("Password not acceptable: %s") % wikiutil.escape(pw_error)
    13.9              if not pw_error:
   13.10                  u = user.User(request, user.getUserId(request, name))
   13.11                  if u and u.valid and u.apply_recovery_token(token, newpass):
    14.1 --- a/MoinMoin/action/userprofile.py	Thu Jun 03 16:49:30 2010 +0400
    14.2 +++ b/MoinMoin/action/userprofile.py	Fri Jun 04 02:04:00 2010 +0400
    14.3 @@ -28,7 +28,7 @@
    14.4          oldval = getattr(theuser, key)
    14.5          setattr(theuser, key, val)
    14.6          theuser.save()
    14.7 -        request.theme.add_msg('%s.%s: %s -> %s' % (user_name, key, oldval, val), "info")
    14.8 +        request.theme.add_msg('%s.%s: %s -> %s' % tuple([wikiutil.escape(s) for s in [user_name, key, oldval, val]]), "info")
    14.9  
   14.10      Page(request, pagename).send_page()
   14.11