Details

Applies to

MoinMoin version 1.5.4

Purpose
Insure items from user_form_remove aren't processed, to prevent spoofing the form submission
Description

When the 'UserPreferences' form is created, items from user_form_remove are missed off; however, an attacker could still send a spoofed form submission including the missed-off items. Note that this patch is probably not complete, and a more thorough treatment is likely needed. I don't think it's worth bothering to emit an error, since this kind of spoof shouldn't happen accidentally. ;-) Anyway, this patch is meant to just point out the generic security issue.

Patch

   1 diff -ur moin-1.5.4.orig/MoinMoin/userform.py moin-1.5.4/MoinMoin/userform.py
   2 --- moin-1.5.4.orig/MoinMoin/userform.py	2006-05-11 12:24:00.000000000 -0400
   3 +++ moin-1.5.4/MoinMoin/userform.py	2006-09-06 13:10:50.000000000 -0400
   4 @@ -67,6 +67,11 @@
   5          if form.has_key('cancel'):
   6              return
   7  
   8 +	# Partially prevent form spoofing
   9 +	for remove_item in self.cfg.user_form_remove:
  10 +	    if form.has_key(remove_item):
  11 +		del form[remove_item]
  12 +
  13          if form.has_key('account_sendmail'):
  14              if not self.cfg.mail_enabled:
  15                  return _("""This wiki is not enabled for mail processing.

formspoof.patch

Discussion

Plan


CategoryMoinMoinPatch

MoinMoin: MoinMoinPatch/PreventUserPreferencesCreateProfileFormSpoofing (last edited 2007-10-29 19:10:51 by localhost)