Description
XMLRPC putPage allows the user to use any page name except the empty string (MoinMoinBugs/XmlRpcPutPageAllowsEmptyPageName). This causes problems for page names that do not adhere to RFC3986 path terminators # or ?. In other words, you can make pages that are totally inaccessible from the browser.
Steps to reproduce
Use XMLRPC putPage with PageName test#?. You can use the script at MoinMoinBugs/XmlrpcPutPageStoresUnchangedPages/test_case2.py to reproduce the issue by simply changing the page name.
Browse the RecentChanges of the wiki used in the test. Observe that the page is present. Try to navigate to the page by clicking the link.
Component selection
The issue could be avoided by adding the characters # and ? to config.page_invalid_chars_regex. Simple diff for the fix: config.diff
Details
MoinMoin Version |
1.8.9 |
OS and Version |
Ubuntu 14.04 LTS |
Python Version |
Python 2.7.6 |
Server Setup |
wsgi |
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
en |
Workaround
Discussion
Plan
- Priority:
- Assigned to:
- Status: