comparison data/plugin/action/submitbase.py @ 627:f683dea1ac1b

FormSubmit: fix misc. issues * actions[] is a list, so use form.getlist * if getHandler returns None, don't call that * misc. file upload related fixes for werkzeug * use taintfilename on supplied filenames for better security
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 25 Mar 2013 19:41:11 +0100
parents f64779d5d500
children 819c4121f9a0
comparison
equal deleted inserted replaced
626:f64779d5d500 627:f683dea1ac1b
64 self.attachContent = "" 64 self.attachContent = ""
65 self.targetpage = self.pagename 65 self.targetpage = self.pagename
66 self.module = self.__module__.split(".").pop() 66 self.module = self.__module__.split(".").pop()
67 67
68 if "actions[]" in self.request.form: 68 if "actions[]" in self.request.form:
69 self.actions = copy.copy(self.request.form.get("actions[]")) 69 self.actions = copy.copy(self.request.form.getlist("actions[]"))
70 else: 70 else:
71 self.actions.append(self.module) 71 self.actions.append(self.module)
72 72
73 self.fields = self._exclude_metadata(self.request.form) 73 self.fields = self._exclude_metadata(self.request.form)
74 74
75 # file upload is present 75 # file upload is present
76 if "file" in request.form: 76 file_upload = request.files.get('file')
77 self.attachFile = request.form.get("file__filename__") 77 if file_upload:
78 self.attachContent = request.form.get("file") 78 self.attachFile = wikiutil.taintfilename(file_upload.filename)
79 self.attachContent = file_upload.stream
79 self.attachLabel = request.form.get("uploadlabel") 80 self.attachLabel = request.form.get("uploadlabel")
80 self.attachLabel = self.attachLabel.encode('utf-8') 81 self.attachLabel = self.attachLabel.encode('utf-8')
81 82
82 # page where all submited data will be stored 83 # page where all submited data will be stored
83 if "targetpage" in request.form: 84 if "targetpage" in request.form: