projects
/
geekigeeki.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
92e45c3
)
SECURITY: check filenames in editor
author
Bernie Innocenti
<bernie@codewiz.org>
Sun, 30 Nov 2008 23:52:18 +0000
(
00:52
+0100)
committer
Bernie Innocenti
<bernie@codewiz.org>
Mon, 1 Dec 2008 00:02:32 +0000
(
01:02
+0100)
geekigeeki.py
patch
|
blob
|
history
diff --git
a/geekigeeki.py
b/geekigeeki.py
index 5a3eb8e58abc8b422d77a1b64bda50789886e3c0..a7e99ed10121c9af816cfc76eddc0707edeeec94 100755
(executable)
--- a/
geekigeeki.py
+++ b/
geekigeeki.py
@@
-85,7
+85,7
@@
def send_guru(msg_text, msg_type):
print ' Software Failure. Press left mouse button to continue.\n'
print msg_text
if msg_type == 'error':
print ' Software Failure. Press left mouse button to continue.\n'
print msg_text
if msg_type == 'error':
- print ' Guru Meditation #DEADBEEF.ABADC0DE'
+ print '
\n
Guru Meditation #DEADBEEF.ABADC0DE'
print '</pre>'
# FIXME: This little JS snippet is harder to pass than ACID 3.0
print """
print '</pre>'
# FIXME: This little JS snippet is harder to pass than ACID 3.0
print """
@@
-179,6
+179,11
@@
def send_title(name, text="Limbo", msg_text=None, msg_type='error', writable=Fal
print '<hr /></div>'
print '<hr /></div>'
+def send_httperror(status="403 Not Found", query=""):
+ print "Status: %s" % status
+ send_title(None, msg_text=("%s: on query '%s'" % (status, query)))
+ send_footer(None)
+
def link_tag(params, text=None, ss_class=None, privileged=False):
if text is None:
text = params # default
def link_tag(params, text=None, ss_class=None, privileged=False):
if text is None:
text = params # default
@@
-240,9
+245,17
@@
def print_search_stats(hits, searched):
print "<p>%d hits out of %d pages searched.</p>" % (hits, searched)
def handle_raw(pagename):
print "<p>%d hits out of %d pages searched.</p>" % (hits, searched)
def handle_raw(pagename):
+ if not file_re.match(pagename):
+ send_httperror("403 Forbidden", pagename)
+ return
+
Page(pagename).send_raw()
def handle_edit(pagename):
Page(pagename).send_raw()
def handle_edit(pagename):
+ if not file_re.match(pagename):
+ send_httperror("403 Forbidden", pagename)
+ return
+
pg = Page(pagename)
if 'save' in form:
if form['file'].value:
pg = Page(pagename)
if 'save' in form:
if form['file'].value:
@@
-811,9
+824,7
@@
try:
else:
Page(query).format()
else:
else:
Page(query).format()
else:
- print "Status: 404 Not Found"
- send_title(None, msg_text='Can\'t work out query: ' + query)
- send_footer(None)
+ send_httperror("403 Forbidden", query)
except Exception:
import traceback
msg_text = traceback.format_exc()
except Exception:
import traceback
msg_text = traceback.format_exc()