security fix for CVE-2017-5934, XSS in GUI editor related code

ThomasWaldmann · ThomasWaldmann · commit 70955a8eae09 · 2018-09-09T19:57:01.000+02:00
Thanks to Nitin Venkatesh for discovering and reporting this!
diff --git a/MoinMoin/action/fckdialog.py b/MoinMoin/action/fckdialog.py
@@ -203,6 +203,7 @@ def page_list(request):
 def link_dialog(request):
     # list of wiki pages
     name = request.values.get("pagename", "")
+    name_escaped = wikiutil.escape(name)
     if name:
         from MoinMoin import search
         # XXX error handling!
@@ -299,7 +300,7 @@ def link_dialog(request):
         <tr>
          <td>
           <span fckLang="PageDlgName">Page Name</span><br>
-          <input id="txtPagename" name="pagename" size="30" value="%(name)s">
+          <input id="txtPagename" name="pagename" size="30" value="%(name_escaped)s">
          </td>
          <td valign="bottom">
            <input id=btnSearchpage type="submit" value="Search">
diff --git a/docs/CHANGES b/docs/CHANGES
@@ -23,6 +23,7 @@ Version 1.9.10 aka "the end of spam release" (not released yet)
         should be aware of beforehands.
 
   Fixes:
+  * security fix for CVE-2017-5934, XSS in GUI editor related code
   * fix wrong digestmod of hmac.new calls (incorporate 1.9.9 patch)
   * fix broken table attribute processing (wikiutil.escape)
   * fix AttributeError in multifile action
