there is a path traversal issue in MoinMoin wiki (version 1.9.3 -
1.9.5). The vulnerability resides in the AttachFile action
(function _do_attachment_move in action/AttachFile.py). It fails to
properly sanitize file names.
Details can be found at: http://moinmo.in/SecurityFixes
A fix is available at:
http://hg.moinmo.in/moin/1.9/rev/3c27131a3c52
Is it possible to get a CVE number for this one?
# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date 1356801565 -3600
# Node ID 3c27131a3c5275dac568b073e930fb6b2e0be907
# Parent ef1bee86328f2bccf6bfa9f5050372a5ea686df6
security: fix path traversal vulnerability in AttachFile action
diff -r ef1bee86328f -r 3c27131a3c52 MoinMoin/action/AttachFile.py
--- a/MoinMoin/action/AttachFile.py Sat Dec 29 17:13:39 2012 +0100
+++ b/MoinMoin/action/AttachFile.py Sat Dec 29 18:19:25 2012 +0100
@@ -678,6 +678,18 @@
def move_file(request, pagename, new_pagename, attachment, new_attachment):
+ """
+ move a file attachment from pagename:attachment to new_pagename:new_attachment
+
+ @param pagename: original pagename
+ @param new_pagename: new pagename (may be same as original pagename)
+ @param attachment: original attachment filename
+ note: attachment filename must not contain a path,
+ use wikiutil.taintfilename() before calling move_file
+ @param new_attachment: new attachment filename (may be same as original filename)
+ note: attachment filename must not contain a path,
+ use wikiutil.taintfilename() before calling move_file
+ """
_ = request.getText
newpage = Page(request, new_pagename)
@@ -740,6 +752,10 @@
upload_form(pagename, request, msg=_("Move aborted because new attachment name is empty."))
attachment = request.form.get('oldattachmentname')
+ if attachment != wikiutil.taintfilename(attachment):
+ upload_form(pagename, request, msg=_("Please use a valid filename for attachment '%(filename)s'.") % {
+ 'filename': attachment})
+ return
move_file(request, pagename, new_pagename, attachment, new_attachment)