Mercurial > public > src > moin > extensions

changeset 616:36ea97c06541

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
security: fix remote code execution vulnerability in SvgEditor
author Reimar Bauer <rb.proj AT googlemail DOT com>
date Sun, 30 Dec 2012 07:30:00 +0100
parents 56a239027b87
children 07e8932e3594
files data/plugin/action/SvgEditor.py
diffstat 1 files changed, 1 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/data/plugin/action/SvgEditor.py	Wed Aug 15 13:39:27 2012 +0200
+++ b/data/plugin/action/SvgEditor.py	Sun Dec 30 07:30:00 2012 +0100
@@ -84,6 +84,7 @@
 
         filecontent = request.values.get('svg_data', '')
         target = request.values.get('target', 'example.svg').strip()
+        target = wikiutil.taintfilename(target)
         if filecontent:
             AttachFile._addLogEntry(request, 'ATTDRW', pagename, target)
             # get directory, and possibly create it