Description
A XSS issue has been found in the code that is used to feed the GUI editor.
The erroneous code enables to put arbitrary html into the editor area of the gui editor, including Javascript code.
Component selection
- GUI editor (or more exact: the formatter used to feed the gui editor)
Details
MoinMoin Version |
likely all since gui editor was introduced, including 1.5.8, 1.6dev, 1.7dev |
OS and Version |
all |
Python Version |
all |
Workaround
To avoid users easily going into this trap, you could just disable the gui editor:
editor_force = True
editor_default = 'text' # internal default, just for completeness![/!\](/moin_static19/modernized/img/alert.png "/!\"){kind=small}
Please note that there are other means to call the gui editor formatter (e.g. via a specially prepared URL), so while this avoids calling the problematic code via the UI, it doesn't help against users following specially prepared URLs they got via mail or on a wiki page.
If you have disabled the GUI editor, you can try just removing MoinMoin/formatter/text_gedit.py* to be safe.
Discussion
Might get into a 1.5.9 release later.
For now, please apply those patches:
1.6: backported from 1.7: http://hg.moinmo.in/moin/1.6/rev/4ae8e12f2246
Plan
- Priority: high
Assigned to: ThomasWaldmann
- Status: fixed