SECURITY: check filenames in editor
authorBernie Innocenti <bernie@codewiz.org>
Sun, 30 Nov 2008 23:52:18 +0000 (00:52 +0100)
committerBernie Innocenti <bernie@codewiz.org>
Mon, 1 Dec 2008 00:02:32 +0000 (01:02 +0100)
geekigeeki.py

index 5a3eb8e58abc8b422d77a1b64bda50789886e3c0..a7e99ed10121c9af816cfc76eddc0707edeeec94 100755 (executable)
@@ -85,7 +85,7 @@ def send_guru(msg_text, msg_type):
         print '    Software Failure.  Press left mouse button to continue.\n'
     print msg_text
     if msg_type == 'error':
-        print '      Guru Meditation #DEADBEEF.ABADC0DE'
+        print '\n      Guru Meditation #DEADBEEF.ABADC0DE'
     print '</pre>'
     # FIXME: This little JS snippet is harder to pass than ACID 3.0 
     print """
@@ -179,6 +179,11 @@ def send_title(name, text="Limbo", msg_text=None, msg_type='error', writable=Fal
 
     print '<hr /></div>'
 
+def send_httperror(status="403 Not Found", query=""):
+    print "Status: %s" % status
+    send_title(None, msg_text=("%s: on query '%s'" % (status, query)))
+    send_footer(None)
+
 def link_tag(params, text=None, ss_class=None, privileged=False):
     if text is None:
         text = params # default
@@ -240,9 +245,17 @@ def print_search_stats(hits, searched):
     print "<p>%d hits out of %d pages searched.</p>" % (hits, searched)
 
 def handle_raw(pagename):
+    if not file_re.match(pagename):
+        send_httperror("403 Forbidden", pagename)
+        return
+
     Page(pagename).send_raw()
 
 def handle_edit(pagename):
+    if not file_re.match(pagename):
+        send_httperror("403 Forbidden", pagename)
+        return
+
     pg = Page(pagename)
     if 'save' in form:
         if form['file'].value:
@@ -811,9 +824,7 @@ try:
                 else:
                     Page(query).format()
         else:
-            print "Status: 404 Not Found"
-            send_title(None, msg_text='Can\'t work out query: ' + query)
-            send_footer(None)
+            send_httperror("403 Forbidden", query)
 except Exception:
     import traceback
     msg_text = traceback.format_exc()