This page is about the 3rd party macro "SearchInPagesAndSort". There is no such hole in the standard MoinMoin distribution.
- Versions 0.2.4 to 0.3.1 have a security hole: you can specify arbitrary Python code as an argument value. Example:
[[SearchInPagesAndSort(p="name-of-a-page-that-does-not-exist", st="", NoPageText=open("/etc/inittab").readlines()[0])]]
.. will display the first line of the /etc/inittab file
- Fixed in version 0.3.3. Doing so would return:
Error: macro SearchInPagesAndSort:
malformed arguments list: p="name-of-a-page-that-does-not-exist", st="", NoPageText=open("/etc/inittab").readlines()[0] cause: name 'open' is not defined
- Versions 0.2.4 to 0.3.1 have a security hole: you can specify arbitrary Python code as an argument value. Example: