Security fixes: reject non-wiki-word page names; set homedir to /tmp.

Show errors returned by store().

A few nits.
This commit is contained in:
Guido van Rossum 2002-10-17 11:45:54 +00:00
parent f606e8d705
commit 48123b266c
1 changed files with 13 additions and 6 deletions

View File

@ -11,8 +11,8 @@ def main():
form = cgi.FieldStorage()
print "Content-type: text/html"
print
cmd = form.getvalue("cmd") or "view"
page = form.getvalue("page") or "FrontPage"
cmd = form.getvalue("cmd", "view")
page = form.getvalue("page", "FrontPage")
wiki = WikiPage(page)
wiki.load()
method = getattr(wiki, 'cmd_' + cmd, None) or wiki.cmd_view
@ -20,10 +20,12 @@ def main():
class WikiPage:
homedir = os.path.dirname(sys.argv[0])
homedir = "/tmp"
scripturl = os.path.basename(sys.argv[0])
def __init__(self, name):
if not self.iswikiword(name):
raise ValueError, "page name is not a wiki word"
self.name = name
self.load()
@ -48,7 +50,7 @@ def cmd_view(self, form):
words[i] = word
print "".join(words)
print "<hr>"
print "<p>", self.mklink("edit", self.name, "Edit this page") + ","
print "<p>", self.mklink("edit", self.name, "Edit this page") + ";"
print self.mklink("view", "FrontPage", "go to front page") + "."
def cmd_edit(self, form, label="Change"):
@ -64,8 +66,13 @@ def cmd_edit(self, form, label="Change"):
def cmd_create(self, form):
self.data = form.getvalue("text", "").strip()
self.store()
self.cmd_view(form)
error = self.store()
if error:
print "<h1>I'm sorry. That didn't work</h1>"
print "<p>An error occurred while attempting to write the file:"
print "<p>", escape(error)
else:
self.cmd_view(form)
def cmd_new(self, form):
self.cmd_edit(form, label="Create Page")