Mercurial > moin > 1.9
changeset 5679:e50b087c4572
merge moin/1.7
Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
| author | Eugene Syromyatnikov <evgsyr@gmail.com> |
|---|---|
| date | Fri, 04 Jun 2010 02:04:00 +0400 |
| parents | 4fe9951788cb |
| children | 8604ed2e370c |
| files | MoinMoin/Page.py MoinMoin/PageGraphicalEditor.py MoinMoin/action/CopyPage.py MoinMoin/action/LikePages.py MoinMoin/action/Load.py MoinMoin/action/RenamePage.py MoinMoin/action/anywikidraw.py MoinMoin/action/backup.py MoinMoin/action/chart.py MoinMoin/action/language_setup.py MoinMoin/action/login.py MoinMoin/action/newaccount.py MoinMoin/action/recoverpass.py MoinMoin/action/userprofile.py |
| diffstat | 14 files changed, 29 insertions(+), 24 deletions(-) [+] |
line wrap: on
line diff
--- a/MoinMoin/Page.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/Page.py Fri Jun 04 02:04:00 2010 +0400 @@ -1056,8 +1056,8 @@ self.formatter.set_highlight_re(self.hilite_re) except re.error, err: request.theme.add_msg(_('Invalid highlighting regular expression "%(regex)s": %(error)s') % { - 'regex': self.hilite_re, - 'error': str(err), + 'regex': wikiutil.escape(self.hilite_re), + 'error': wikiutil.escape(str(err)), }, "warning") self.hilite_re = None @@ -1113,7 +1113,7 @@ request.theme.add_msg("<strong>%s</strong><br>" % ( _('Revision %(rev)d as of %(date)s') % { 'rev': self.rev, - 'date': self.mtime_printable(request) + 'date': wikiutil.escape(self.mtime_printable(request)) }), "info") # This redirect message is very annoying.
--- a/MoinMoin/PageGraphicalEditor.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/PageGraphicalEditor.py Fri Jun 04 02:04:00 2010 +0400 @@ -170,14 +170,15 @@ elif 'template' in request.values: # If the page does not exist, we try to get the content from the template parameter. template_page = wikiutil.unquoteWikiname(request.values['template']) + template_page_escaped = wikiutil.escape(template_page) if request.user.may.read(template_page): raw_body = Page(request, template_page).get_raw_body() if raw_body: - request.write(_("[Content of new page loaded from %s]") % (template_page, ), '<br>') + request.write(_("[Content of new page loaded from %s]") % (template_page_escaped, ), '<br>') else: - request.write(_("[Template %s not found]") % (template_page, ), '<br>') + request.write(_("[Template %s not found]") % (template_page_escaped, ), '<br>') else: - request.write(_("[You may not read %s]") % (template_page, ), '<br>') + request.write(_("[You may not read %s]") % (template_page_escaped, ), '<br>') # Make backup on previews - but not for new empty pages if not use_draft and preview and raw_body:
--- a/MoinMoin/action/CopyPage.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/CopyPage.py Fri Jun 04 02:04:00 2010 +0400 @@ -86,7 +86,7 @@ def get_form_html(self, buttons_html): _ = self._ if self.users_subpages: - subpages = ' '.join(self.users_subpages) + subpages = ' '.join([wikiutil.escape(page) for page in self.users_subpages]) d = { 'textcha': TextCha(self.request).render(),
--- a/MoinMoin/action/LikePages.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/LikePages.py Fri Jun 04 02:04:00 2010 +0400 @@ -24,19 +24,19 @@ # Error? if isinstance(matches, (str, unicode)): - request.theme.add_msg(matches, "info") + request.theme.add_msg(wikiutil.escape(matches), "info") Page(request, pagename).send_page() return # No matches if not matches: - request.theme.add_msg(_('No pages like "%s"!') % (pagename, ), "error") + request.theme.add_msg(_('No pages like "%s"!') % (wikiutil.escape(pagename), ), "error") Page(request, pagename).send_page() return # One match - display it if len(matches) == 1: - request.theme.add_msg(_('Exactly one page like "%s" found, redirecting to page.') % (pagename, ), "info") + request.theme.add_msg(_('Exactly one page like "%s" found, redirecting to page.') % (wikiutil.escape(pagename), ), "info") Page(request, matches.keys()[0]).send_page() return
--- a/MoinMoin/action/Load.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/Load.py Fri Jun 04 02:04:00 2010 +0400 @@ -111,7 +111,7 @@ 'upload_label_file': _('File to load page content from'), 'upload_label_comment': _('Comment'), 'upload_label_rename': _('Page name'), - 'pagename': self.pagename, + 'pagename': wikiutil.escape(self.pagename, quote=1), 'buttons_html': buttons_html, 'action_name': self.form_trigger, 'textcha': TextCha(self.request).render(),
--- a/MoinMoin/action/RenamePage.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/RenamePage.py Fri Jun 04 02:04:00 2010 +0400 @@ -99,7 +99,7 @@ if self.subpages: redirect_label = _('Create redirect for renamed page(s)?') - subpages = ' '.join(self.subpages) + subpages = ' '.join([wikiutil.escape(page) for page in self.subpages]) subpages_html = """ <tr> <dd> @@ -117,6 +117,7 @@ else: redirect_label = _('Create redirect for renamed page?') subpages_html = "" +>>>>>>> other if self.show_redirect: redirect_html = '<tr><dd>%(redirect_label)s<input type="checkbox" name="rename_redirect" value="1" %(redirect)s></dd></tr>' % {
--- a/MoinMoin/action/anywikidraw.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/anywikidraw.py Fri Jun 04 02:04:00 2010 +0400 @@ -205,6 +205,6 @@ else: msg = awd.render() if msg: - request.theme.add_msg(msg, 'error') + request.theme.add_msg(wikiutil.escape(msg), 'error') do_show(pagename, request)
--- a/MoinMoin/action/backup.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/backup.py Fri Jun 04 02:04:00 2010 +0400 @@ -80,8 +80,11 @@ request.theme.send_footer(pagename) request.theme.send_closing_html() - +# NOTE: consider using ActionBase.render_msg instead of this function. def sendMsg(request, pagename, msg, msgtype): + """ + @param msg: Message to show. Should be escaped. + """ from MoinMoin import Page request.theme.add_msg(msg, msgtype) return Page.Page(request, pagename).send_page() @@ -107,5 +110,4 @@ sendBackupForm(request, pagename) else: return sendMsg(request, pagename, - msg=_('Unknown backup subaction: %s.') % dowhat, msgtype="error") - + msg=_('Unknown backup subaction: %s.') % wikiutil.escape(dowhat), msgtype="error")
--- a/MoinMoin/action/chart.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/chart.py Fri Jun 04 02:04:00 2010 +0400 @@ -6,6 +6,7 @@ 2006 MoinMoin:ThomasWaldmann @license: GNU GPL, see COPYING for details. """ +from MoinMoin import wikiutil from MoinMoin.util import pysupport def execute(pagename, request): @@ -27,7 +28,7 @@ try: func = pysupport.importName("MoinMoin.stats.%s" % chart_type, 'draw') except (ImportError, AttributeError): - request.theme.add_msg(_('Bad chart type "%s"!') % chart_type, "error") + request.theme.add_msg(_('Bad chart type "%s"!') % wikiutil.escape(chart_type), "error") return request.page.send_page() func(pagename, request)
--- a/MoinMoin/action/language_setup.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/language_setup.py Fri Jun 04 02:04:00 2010 +0400 @@ -11,7 +11,7 @@ @license: GNU GPL, see COPYING for details. """ -from MoinMoin import i18n, packages +from MoinMoin import i18n, packages, wikiutil from MoinMoin.i18n import strings i18n.strings = strings @@ -85,7 +85,7 @@ lang_selector = u''.join([fmt.paragraph(1), _("Choose:"), ' ', ' '.join(lang_links), fmt.paragraph(0)]) - title = _("Install language packs for '%s'") % (lang) + title = _("Install language packs for '%s'") % wikiutil.escape(lang) request.theme.add_msg(msg, "info") request.theme.send_title(title, page=request.page, pagename=pagename) request.write(request.formatter.startContent("content"))
--- a/MoinMoin/action/login.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/login.py Fri Jun 04 02:04:00 2010 +0400 @@ -66,7 +66,7 @@ return self.handle_multistage() if hasattr(request, '_login_messages'): for msg in request._login_messages: - request.theme.add_msg(msg, "error") + request.theme.add_msg(wikiutil.escape(msg), "error") return self.page.send_page() else: # show login form
--- a/MoinMoin/action/newaccount.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/newaccount.py Fri Jun 04 02:04:00 2010 +0400 @@ -59,7 +59,7 @@ if pw_checker: pw_error = pw_checker(request, theuser.name, password) if pw_error: - return _("Password not acceptable: %s") % pw_error + return _("Password not acceptable: %s") % wikiutil.escape(pw_error) # Encode password if password and not password.startswith('{SHA}'): @@ -67,7 +67,7 @@ theuser.enc_password = user.encodePassword(password) except UnicodeError, err: # Should never happen - return "Can't encode password: %s" % str(err) + return "Can't encode password: %s" % wikiutil.escape(str(err)) # try to get the email, for new users it is required email = wikiutil.clean_input(form.get('email', ''))
--- a/MoinMoin/action/recoverpass.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/recoverpass.py Fri Jun 04 02:04:00 2010 +0400 @@ -175,7 +175,7 @@ if pw_checker: pw_error = pw_checker(request, name, newpass) if pw_error: - msg = _("Password not acceptable: %s") % pw_error + msg = _("Password not acceptable: %s") % wikiutil.escape(pw_error) if not pw_error: u = user.User(request, user.getUserId(request, name)) if u and u.valid and u.apply_recovery_token(token, newpass):
--- a/MoinMoin/action/userprofile.py Thu Jun 03 16:49:30 2010 +0400 +++ b/MoinMoin/action/userprofile.py Fri Jun 04 02:04:00 2010 +0400 @@ -28,7 +28,7 @@ oldval = getattr(theuser, key) setattr(theuser, key, val) theuser.save() - request.theme.add_msg('%s.%s: %s -> %s' % (user_name, key, oldval, val), "info") + request.theme.add_msg('%s.%s: %s -> %s' % tuple([wikiutil.escape(s) for s in [user_name, key, oldval, val]]), "info") Page(request, pagename).send_page()