[Python-checkins] python/dist/src/Demo/cgi cgi3.py,1.1,1.2
gvanrossum@users.sourceforge.net
gvanrossum@users.sourceforge.net
Thu, 17 Oct 2002 04:45:56 -0700
Update of /cvsroot/python/python/dist/src/Demo/cgi
In directory usw-pr-cvs1:/tmp/cvs-serv9178
Modified Files:
cgi3.py
Log Message:
Security fixes: reject non-wiki-word page names; set homedir to /tmp.
Show errors returned by store().
A few nits.
Index: cgi3.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Demo/cgi/cgi3.py,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** cgi3.py 16 Oct 2002 21:01:27 -0000 1.1
--- cgi3.py 17 Oct 2002 11:45:54 -0000 1.2
***************
*** 12,17 ****
print "Content-type: text/html"
print
! cmd = form.getvalue("cmd") or "view"
! page = form.getvalue("page") or "FrontPage"
wiki = WikiPage(page)
wiki.load()
--- 12,17 ----
print "Content-type: text/html"
print
! cmd = form.getvalue("cmd", "view")
! page = form.getvalue("page", "FrontPage")
wiki = WikiPage(page)
wiki.load()
***************
*** 21,28 ****
class WikiPage:
! homedir = os.path.dirname(sys.argv[0])
scripturl = os.path.basename(sys.argv[0])
def __init__(self, name):
self.name = name
self.load()
--- 21,30 ----
class WikiPage:
! homedir = "/tmp"
scripturl = os.path.basename(sys.argv[0])
def __init__(self, name):
+ if not self.iswikiword(name):
+ raise ValueError, "page name is not a wiki word"
self.name = name
self.load()
***************
*** 49,53 ****
print "".join(words)
print "<hr>"
! print "<p>", self.mklink("edit", self.name, "Edit this page") + ","
print self.mklink("view", "FrontPage", "go to front page") + "."
--- 51,55 ----
print "".join(words)
print "<hr>"
! print "<p>", self.mklink("edit", self.name, "Edit this page") + ";"
print self.mklink("view", "FrontPage", "go to front page") + "."
***************
*** 65,70 ****
def cmd_create(self, form):
self.data = form.getvalue("text", "").strip()
! self.store()
! self.cmd_view(form)
def cmd_new(self, form):
--- 67,77 ----
def cmd_create(self, form):
self.data = form.getvalue("text", "").strip()
! error = self.store()
! if error:
! print "<h1>I'm sorry. That didn't work</h1>"
! print "<p>An error occurred while attempting to write the file:"
! print "<p>", escape(error)
! else:
! self.cmd_view(form)
def cmd_new(self, form):