[Python-checkins] python/dist/src/Demo/cgi cgi3.py,1.1,1.2

gvanrossum@users.sourceforge.net gvanrossum@users.sourceforge.net
Thu, 17 Oct 2002 04:45:56 -0700 

Update of /cvsroot/python/python/dist/src/Demo/cgi
In directory usw-pr-cvs1:/tmp/cvs-serv9178

Modified Files:
	cgi3.py 
Log Message:
Security fixes: reject non-wiki-word page names; set homedir to /tmp.

Show errors returned by store().

A few nits.


Index: cgi3.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Demo/cgi/cgi3.py,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** cgi3.py	16 Oct 2002 21:01:27 -0000	1.1
--- cgi3.py	17 Oct 2002 11:45:54 -0000	1.2
***************
*** 12,17 ****
      print "Content-type: text/html"
      print
!     cmd = form.getvalue("cmd") or "view"
!     page = form.getvalue("page") or "FrontPage"
      wiki = WikiPage(page)
      wiki.load()
--- 12,17 ----
      print "Content-type: text/html"
      print
!     cmd = form.getvalue("cmd", "view")
!     page = form.getvalue("page", "FrontPage")
      wiki = WikiPage(page)
      wiki.load()
***************
*** 21,28 ****
  class WikiPage:
  
!     homedir = os.path.dirname(sys.argv[0])
      scripturl = os.path.basename(sys.argv[0])
  
      def __init__(self, name):
          self.name = name
          self.load()
--- 21,30 ----
  class WikiPage:
  
!     homedir = "/tmp"
      scripturl = os.path.basename(sys.argv[0])
  
      def __init__(self, name):
+         if not self.iswikiword(name):
+             raise ValueError, "page name is not a wiki word"
          self.name = name
          self.load()
***************
*** 49,53 ****
              print "".join(words)
          print "<hr>"
!         print "<p>", self.mklink("edit", self.name, "Edit this page") + ","
          print self.mklink("view", "FrontPage", "go to front page") + "."
  
--- 51,55 ----
              print "".join(words)
          print "<hr>"
!         print "<p>", self.mklink("edit", self.name, "Edit this page") + ";"
          print self.mklink("view", "FrontPage", "go to front page") + "."
  
***************
*** 65,70 ****
      def cmd_create(self, form):
          self.data = form.getvalue("text", "").strip()
!         self.store()
!         self.cmd_view(form)
  
      def cmd_new(self, form):
--- 67,77 ----
      def cmd_create(self, form):
          self.data = form.getvalue("text", "").strip()
!         error = self.store()
!         if error:
!             print "<h1>I'm sorry.  That didn't work</h1>"
!             print "<p>An error occurred while attempting to write the file:"
!             print "<p>", escape(error)
!         else:
!             self.cmd_view(form)
  
      def cmd_new(self, form):