diff options
author | Guido van Rossum <guido@python.org> | 2002-10-17 11:45:54 (GMT) |
---|---|---|
committer | Guido van Rossum <guido@python.org> | 2002-10-17 11:45:54 (GMT) |
commit | 48123b266cd8d041ca6d66f148c3a6c054b2cc00 (patch) | |
tree | 174f0786467f5c7c3fc962f652c6714e5697d206 /Demo | |
parent | f606e8d705dbd0417e6a8030b426a7bc18dd2614 (diff) | |
download | cpython-48123b266cd8d041ca6d66f148c3a6c054b2cc00.zip cpython-48123b266cd8d041ca6d66f148c3a6c054b2cc00.tar.gz cpython-48123b266cd8d041ca6d66f148c3a6c054b2cc00.tar.bz2 |
Security fixes: reject non-wiki-word page names; set homedir to /tmp.
Show errors returned by store().
A few nits.
Diffstat (limited to 'Demo')
-rwxr-xr-x | Demo/cgi/cgi3.py | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/Demo/cgi/cgi3.py b/Demo/cgi/cgi3.py index bdb2cb7..9aad3a0 100755 --- a/Demo/cgi/cgi3.py +++ b/Demo/cgi/cgi3.py @@ -11,8 +11,8 @@ def main(): form = cgi.FieldStorage() print "Content-type: text/html" print - cmd = form.getvalue("cmd") or "view" - page = form.getvalue("page") or "FrontPage" + cmd = form.getvalue("cmd", "view") + page = form.getvalue("page", "FrontPage") wiki = WikiPage(page) wiki.load() method = getattr(wiki, 'cmd_' + cmd, None) or wiki.cmd_view @@ -20,10 +20,12 @@ def main(): class WikiPage: - homedir = os.path.dirname(sys.argv[0]) + homedir = "/tmp" scripturl = os.path.basename(sys.argv[0]) def __init__(self, name): + if not self.iswikiword(name): + raise ValueError, "page name is not a wiki word" self.name = name self.load() @@ -48,7 +50,7 @@ class WikiPage: words[i] = word print "".join(words) print "<hr>" - print "<p>", self.mklink("edit", self.name, "Edit this page") + "," + print "<p>", self.mklink("edit", self.name, "Edit this page") + ";" print self.mklink("view", "FrontPage", "go to front page") + "." def cmd_edit(self, form, label="Change"): @@ -64,8 +66,13 @@ class WikiPage: def cmd_create(self, form): self.data = form.getvalue("text", "").strip() - self.store() - self.cmd_view(form) + error = self.store() + if error: + print "<h1>I'm sorry. That didn't work</h1>" + print "<p>An error occurred while attempting to write the file:" + print "<p>", escape(error) + else: + self.cmd_view(form) def cmd_new(self, form): self.cmd_edit(form, label="Create Page") |