changeset 627:f683dea1ac1b

FormSubmit: fix misc. issues * actions[] is a list, so use form.getlist * if getHandler returns None, don't call that * misc. file upload related fixes for werkzeug * use taintfilename on supplied filenames for better security
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 25 Mar 2013 19:41:11 +0100
parents f64779d5d500
children 819c4121f9a0
files data/plugin/action/loadactions.py data/plugin/action/submitattachment.py data/plugin/action/submitbase.py data/plugin/action/submitcsv.py
diffstat 4 files changed, 10 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/data/plugin/action/loadactions.py	Mon Mar 25 18:29:47 2013 +0100
+++ b/data/plugin/action/loadactions.py	Mon Mar 25 19:41:11 2013 +0100
@@ -19,10 +19,11 @@
 
 
 def execute(pagename, request):
-    for action in request.form.get("actions[]"):
+    for action in request.form.getlist("actions[]"):
         handler = getHandler(request, action)
         try:
-            handler(pagename, request)
+            if handler:
+                handler(pagename, request)
         except SubmitError:
             # Stop executing next actions if there is an error
             break
--- a/data/plugin/action/submitattachment.py	Mon Mar 25 18:29:47 2013 +0100
+++ b/data/plugin/action/submitattachment.py	Mon Mar 25 19:41:11 2013 +0100
@@ -56,7 +56,7 @@
      
     def sanitize(self):
         SubmitBase.sanitize(self)
-        self.request.form['file__filename__'] = self.attachFile = self.rewrite_filename(self.attachFile)  
+        self.request.files['file'].filename = self.attachFile = self.rewrite_filename(self.attachFile)
          
     def submit(self):
         AttachFile.add_attachment(self.request, self.targetpage, self.attachFile, self.attachContent, 0)
--- a/data/plugin/action/submitbase.py	Mon Mar 25 18:29:47 2013 +0100
+++ b/data/plugin/action/submitbase.py	Mon Mar 25 19:41:11 2013 +0100
@@ -66,16 +66,17 @@
         self.module = self.__module__.split(".").pop()
         
         if "actions[]" in self.request.form:
-            self.actions = copy.copy(self.request.form.get("actions[]"))
+            self.actions = copy.copy(self.request.form.getlist("actions[]"))
         else:
             self.actions.append(self.module)
         
         self.fields = self._exclude_metadata(self.request.form)
         
         # file upload is present
-        if "file" in request.form:
-            self.attachFile = request.form.get("file__filename__")
-            self.attachContent = request.form.get("file")
+        file_upload = request.files.get('file')
+        if file_upload:
+            self.attachFile = wikiutil.taintfilename(file_upload.filename)
+            self.attachContent = file_upload.stream
             self.attachLabel = request.form.get("uploadlabel")
             self.attachLabel = self.attachLabel.encode('utf-8')
             
--- a/data/plugin/action/submitcsv.py	Mon Mar 25 18:29:47 2013 +0100
+++ b/data/plugin/action/submitcsv.py	Mon Mar 25 19:41:11 2013 +0100
@@ -33,6 +33,7 @@
         
         self.delimiter = ';'
         self.targetFile = request.form.get("targetfile", "list.csv")
+        self.targetFile = wikiutil.taintfilename(self.targetFile)  # replace illegal chars
 
     def sanitize(self):
         SubmitBase.sanitize(self)