Security fixes: reject non-wiki-word page names; set homedir to /tmp.

gvanrossum · gvanrossum · commit 48123b266cd8 · 2002-10-17T11:45:54.000Z
Show errors returned by store().

A few nits.
diff --git a/Demo/cgi/cgi3.py b/Demo/cgi/cgi3.py
@@ -11,19 +11,21 @@ def main():
     form = cgi.FieldStorage()
     print "Content-type: text/html"
     print
-    cmd = form.getvalue("cmd") or "view"
-    page = form.getvalue("page") or "FrontPage"
+    cmd = form.getvalue("cmd", "view")
+    page = form.getvalue("page", "FrontPage")
     wiki = WikiPage(page)
     wiki.load()
     method = getattr(wiki, 'cmd_' + cmd, None) or wiki.cmd_view
     method(form)
 
 class WikiPage:
 
-    homedir = os.path.dirname(sys.argv[0])
+    homedir = "/tmp"
     scripturl = os.path.basename(sys.argv[0])
 
     def __init__(self, name):
+        if not self.iswikiword(name):
+            raise ValueError, "page name is not a wiki word"
         self.name = name
         self.load()
 
@@ -48,7 +50,7 @@ def cmd_view(self, form):
                 words[i] = word
             print "".join(words)
         print "<hr>"
-        print "<p>", self.mklink("edit", self.name, "Edit this page") + ","
+        print "<p>", self.mklink("edit", self.name, "Edit this page") + ";"
         print self.mklink("view", "FrontPage", "go to front page") + "."
 
     def cmd_edit(self, form, label="Change"):
@@ -64,8 +66,13 @@ def cmd_edit(self, form, label="Change"):
 
     def cmd_create(self, form):
         self.data = form.getvalue("text", "").strip()
-        self.store()
-        self.cmd_view(form)
+        error = self.store()
+        if error:
+            print "<h1>I'm sorry.  That didn't work</h1>"
+            print "<p>An error occurred while attempting to write the file:"
+            print "<p>", escape(error)
+        else:
+            self.cmd_view(form)
 
     def cmd_new(self, form):
         self.cmd_edit(form, label="Create Page")
