there is a path traversal issue in MoinMoin wiki (version 1.9.3 - 1.9.5). The vulnerability resides in the AttachFile action (function _do_attachment_move in action/AttachFile.py). It fails to properly sanitize file names. Details can be found at: http://moinmo.in/SecurityFixes A fix is available at: http://hg.moinmo.in/moin/1.9/rev/3c27131a3c52 Is it possible to get a CVE number for this one? # HG changeset patch # User Thomas Waldmann <tw AT waldmann-edv DOT de> # Date 1356801565 -3600 # Node ID 3c27131a3c5275dac568b073e930fb6b2e0be907 # Parent ef1bee86328f2bccf6bfa9f5050372a5ea686df6 security: fix path traversal vulnerability in AttachFile action diff -r ef1bee86328f -r 3c27131a3c52 MoinMoin/action/AttachFile.py --- a/MoinMoin/action/AttachFile.py Sat Dec 29 17:13:39 2012 +0100 +++ b/MoinMoin/action/AttachFile.py Sat Dec 29 18:19:25 2012 +0100 @@ -678,6 +678,18 @@ def move_file(request, pagename, new_pagename, attachment, new_attachment): + """ + move a file attachment from pagename:attachment to new_pagename:new_attachment + + @param pagename: original pagename + @param new_pagename: new pagename (may be same as original pagename) + @param attachment: original attachment filename + note: attachment filename must not contain a path, + use wikiutil.taintfilename() before calling move_file + @param new_attachment: new attachment filename (may be same as original filename) + note: attachment filename must not contain a path, + use wikiutil.taintfilename() before calling move_file + """ _ = request.getText newpage = Page(request, new_pagename) @@ -740,6 +752,10 @@ upload_form(pagename, request, msg=_("Move aborted because new attachment name is empty.")) attachment = request.form.get('oldattachmentname') + if attachment != wikiutil.taintfilename(attachment): + upload_form(pagename, request, msg=_("Please use a valid filename for attachment '%(filename)s'.") % { + 'filename': attachment}) + return move_file(request, pagename, new_pagename, attachment, new_attachment)