diff data/plugin/action/submitcsv.py @ 627:f683dea1ac1b

FormSubmit: fix misc. issues * actions[] is a list, so use form.getlist * if getHandler returns None, don't call that * misc. file upload related fixes for werkzeug * use taintfilename on supplied filenames for better security
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 25 Mar 2013 19:41:11 +0100
parents f64779d5d500
children 819c4121f9a0
line wrap: on
line diff
--- a/data/plugin/action/submitcsv.py	Mon Mar 25 18:29:47 2013 +0100
+++ b/data/plugin/action/submitcsv.py	Mon Mar 25 19:41:11 2013 +0100
@@ -33,6 +33,7 @@
         
         self.delimiter = ';'
         self.targetFile = request.form.get("targetfile", "list.csv")
+        self.targetFile = wikiutil.taintfilename(self.targetFile)  # replace illegal chars
 
     def sanitize(self):
         SubmitBase.sanitize(self)