Skip to content

Commit

Permalink
Merge pull request from GHSA-52q8-877j-gghq
Browse files Browse the repository at this point in the history 
security: fix remote code execution via cache action, CVE-2020-25074
  • Loading branch information
@ThomasWaldmann
ThomasWaldmann authored Nov 8, 2020
2 parents 31de913 + d1e5fc7 commit 6b96a90
Showing 1 changed file with 20 additions and 7 deletions.
27 changes: 20 additions & 7 deletions MoinMoin/action/cache.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,19 @@ def key(request, wikiname=None, itemname=None, attachname=None, content=None, se
return key


def valid_key(key):
# make sure the key looks like keys generated by key()
if not isinstance(key, unicode):
# key is None (not given in url args) or something unexpected
return False
try:
int(key, 16) # try to evaluate as hex number
except ValueError:
# was not a hex number
return False
return len(key) == 40 # hmac-sha1 hexdigest == 40 hex chars


def put(request, key, data,
filename=None,
content_type=None,
Expand Down Expand Up @@ -234,14 +247,14 @@ def _do_remove(request, key):
remove(request, key)


def _do(request, do, key):
if do == 'get':
_do_get(request, key)
elif do == 'remove':
_do_remove(request, key)

def execute(pagename, request):
do = request.values.get('do')
key = request.values.get('key')
_do(request, do, key)
valid = valid_key(key) # validate untrusted input
if valid and do == 'get':
_do_get(request, key)
elif valid and do == 'remove':
_do_remove(request, key)
else:
request.status_code = 404

0 comments on commit 6b96a90

Please sign in to comment.