From: Bernie Innocenti Date: Sun, 30 Nov 2008 23:52:18 +0000 (+0100) Subject: SECURITY: check filenames in editor X-Git-Tag: v3.0~7^2 X-Git-Url: https://codewiz.org/gitweb?a=commitdiff_plain;h=5f99f96a7a102bb8f2c491dd1e11fe8686c7c0a0;p=geekigeeki.git SECURITY: check filenames in editor --- diff --git a/geekigeeki.py b/geekigeeki.py index 5a3eb8e..a7e99ed 100755 --- a/geekigeeki.py +++ b/geekigeeki.py @@ -85,7 +85,7 @@ def send_guru(msg_text, msg_type): print ' Software Failure. Press left mouse button to continue.\n' print msg_text if msg_type == 'error': - print ' Guru Meditation #DEADBEEF.ABADC0DE' + print '\n Guru Meditation #DEADBEEF.ABADC0DE' print '' # FIXME: This little JS snippet is harder to pass than ACID 3.0 print """ @@ -179,6 +179,11 @@ def send_title(name, text="Limbo", msg_text=None, msg_type='error', writable=Fal print '
' +def send_httperror(status="403 Not Found", query=""): + print "Status: %s" % status + send_title(None, msg_text=("%s: on query '%s'" % (status, query))) + send_footer(None) + def link_tag(params, text=None, ss_class=None, privileged=False): if text is None: text = params # default @@ -240,9 +245,17 @@ def print_search_stats(hits, searched): print "

%d hits out of %d pages searched.

" % (hits, searched) def handle_raw(pagename): + if not file_re.match(pagename): + send_httperror("403 Forbidden", pagename) + return + Page(pagename).send_raw() def handle_edit(pagename): + if not file_re.match(pagename): + send_httperror("403 Forbidden", pagename) + return + pg = Page(pagename) if 'save' in form: if form['file'].value: @@ -811,9 +824,7 @@ try: else: Page(query).format() else: - print "Status: 404 Not Found" - send_title(None, msg_text='Can\'t work out query: ' + query) - send_footer(None) + send_httperror("403 Forbidden", query) except Exception: import traceback msg_text = traceback.format_exc()