2
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
3
# Date 1200868068 -3600
4
# Node ID e69a16b6e63020ac615e74b3184d6e89597352e0
5
# Parent 2f952fa361c7bc6ed127ec0618038272385186cd
6
Security fix: only accept valid user IDs from the cookie
8
diff -r 2f952fa361c7 -r e69a16b6e630 MoinMoin/user.py
9
--- a/MoinMoin/user.py Sun Jan 20 17:36:42 2008 +0100
10
+++ b/MoinMoin/user.py Sun Jan 20 23:27:48 2008 +0100
12
@license: GNU GPL, see COPYING for details.
15
-import os, time, sha, codecs
16
+import os, time, sha, codecs, re
19
import cPickle as pickle
20
@@ -19,6 +19,7 @@ from MoinMoin import config, caching, wi
21
from MoinMoin import config, caching, wikiutil
22
from MoinMoin.util import filesys, timefuncs
24
+USERID_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
26
def getUserList(request):
27
""" Get a list of all (numerical) user IDs.
28
@@ -27,10 +28,9 @@ def getUserList(request):
33
- user_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
35
files = dircache.listdir(request.cfg.user_dir)
36
- userlist = [f for f in files if user_re.match(f)]
37
+ userlist = [f for f in files if USERID_re.match(f)]
41
@@ -210,7 +210,7 @@ class User:
42
self._cfg = request.cfg
46
+ self.id = self.id_sanitycheck(id)
47
self.auth_username = auth_username
48
self.auth_method = kw.get('auth_method', 'internal')
49
self.auth_attribs = kw.get('auth_attribs', ())
50
@@ -298,6 +298,15 @@ class User:
51
# use it reliably in edit locking
52
from random import randint
53
return "%s.%d" % (str(time.time()), randint(0,65535))
55
+ def id_sanitycheck(self, id):
56
+ """ only return valid user IDs, avoid someone faking his cookie to
57
+ contain '../../../somefile', breaking out of the data/user/ directory!
59
+ if id and USERID_re.match(id):
64
def create_or_update(self, changed=False):
65
""" Create or update a user profile
66
diff -r 2f952fa361c7 -r e69a16b6e630 docs/CHANGES
67
--- a/docs/CHANGES Sun Jan 20 17:36:42 2008 +0100
68
+++ b/docs/CHANGES Sun Jan 20 23:27:48 2008 +0100
69
@@ -44,6 +44,7 @@ Version 1.5.current:
70
* Fixed Despam action (same editor grouping was broken), now looking for
71
spam edits in the last 30 days.
72
* Fixed XSS issue in login action.
73
+ * Security fix: only accept valid user IDs from the cookie.