From 48123b266cd8d041ca6d66f148c3a6c054b2cc00 Mon Sep 17 00:00:00 2001 From: Guido van Rossum Date: Thu, 17 Oct 2002 11:45:54 +0000 Subject: [PATCH] Security fixes: reject non-wiki-word page names; set homedir to /tmp. Show errors returned by store(). A few nits. --- Demo/cgi/cgi3.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/Demo/cgi/cgi3.py b/Demo/cgi/cgi3.py index bdb2cb7aa2a..9aad3a0fc45 100755 --- a/Demo/cgi/cgi3.py +++ b/Demo/cgi/cgi3.py @@ -11,8 +11,8 @@ def main(): form = cgi.FieldStorage() print "Content-type: text/html" print - cmd = form.getvalue("cmd") or "view" - page = form.getvalue("page") or "FrontPage" + cmd = form.getvalue("cmd", "view") + page = form.getvalue("page", "FrontPage") wiki = WikiPage(page) wiki.load() method = getattr(wiki, 'cmd_' + cmd, None) or wiki.cmd_view @@ -20,10 +20,12 @@ def main(): class WikiPage: - homedir = os.path.dirname(sys.argv[0]) + homedir = "/tmp" scripturl = os.path.basename(sys.argv[0]) def __init__(self, name): + if not self.iswikiword(name): + raise ValueError, "page name is not a wiki word" self.name = name self.load() @@ -48,7 +50,7 @@ def cmd_view(self, form): words[i] = word print "".join(words) print "
" - print "

", self.mklink("edit", self.name, "Edit this page") + "," + print "

", self.mklink("edit", self.name, "Edit this page") + ";" print self.mklink("view", "FrontPage", "go to front page") + "." def cmd_edit(self, form, label="Change"): @@ -64,8 +66,13 @@ def cmd_edit(self, form, label="Change"): def cmd_create(self, form): self.data = form.getvalue("text", "").strip() - self.store() - self.cmd_view(form) + error = self.store() + if error: + print "

I'm sorry. That didn't work

" + print "

An error occurred while attempting to write the file:" + print "

", escape(error) + else: + self.cmd_view(form) def cmd_new(self, form): self.cmd_edit(form, label="Create Page")