diff data/plugin/action/submitbase.py @ 627:f683dea1ac1b

FormSubmit: fix misc. issues * actions[] is a list, so use form.getlist * if getHandler returns None, don't call that * misc. file upload related fixes for werkzeug * use taintfilename on supplied filenames for better security
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 25 Mar 2013 19:41:11 +0100
parents f64779d5d500
children 819c4121f9a0
line wrap: on
line diff
--- a/data/plugin/action/submitbase.py	Mon Mar 25 18:29:47 2013 +0100
+++ b/data/plugin/action/submitbase.py	Mon Mar 25 19:41:11 2013 +0100
@@ -66,16 +66,17 @@
         self.module = self.__module__.split(".").pop()
         
         if "actions[]" in self.request.form:
-            self.actions = copy.copy(self.request.form.get("actions[]"))
+            self.actions = copy.copy(self.request.form.getlist("actions[]"))
         else:
             self.actions.append(self.module)
         
         self.fields = self._exclude_metadata(self.request.form)
         
         # file upload is present
-        if "file" in request.form:
-            self.attachFile = request.form.get("file__filename__")
-            self.attachContent = request.form.get("file")
+        file_upload = request.files.get('file')
+        if file_upload:
+            self.attachFile = wikiutil.taintfilename(file_upload.filename)
+            self.attachContent = file_upload.stream
             self.attachLabel = request.form.get("uploadlabel")
             self.attachLabel = self.attachLabel.encode('utf-8')