Skip to content

D
django-wiki
Commit 67d8cf38 by benjaoming
Options

Security fix, do not call eval on input

parent d9d19f0d
Showing with 27 additions and 3 deletions
wiki/plugins/images/markdown_extensions.py
# -*- coding: utf-8 -*-
import markdown import markdown
import re import re
......
wiki/plugins/links/mdx/djangowikilinks.py
#!/usr/bin/env python #!/usr/bin/env python
# -*- coding: utf-8 -*-
''' '''
Wikipath Extension for Python-Markdown Wikipath Extension for Python-Markdown
......
wiki/plugins/links/mdx/urlize.py
# -*- coding: utf-8 -*-
""" """
Code modified from: Code modified from:
https://github.com/r0wb0t/markdown-urlize https://github.com/r0wb0t/markdown-urlize
......
wiki/plugins/macros/markdown_extensions.py
# -*- coding: utf-8 -*-
import markdown import markdown
import re import re
...@@ -5,8 +6,11 @@ from django.utils.translation import ugettext as _ ...@@ -5,8 +6,11 @@ from django.utils.translation import ugettext as _
from django.template.loader import render_to_string from django.template.loader import render_to_string
from django.template import Context from django.template import Context
# See: http://stackoverflow.com/questions/430759/regex-for-managing-escaped-characters-for-items-like-string-literals
re_sq_short = r"'([^'\\]*(?:\\.[^'\\]*)*)'"
MACRO_RE = re.compile(r'.*(\[(?P<macro>\w+)(?P<kwargs>\s\w+\:.+)*\]).*', re.IGNORECASE) MACRO_RE = re.compile(r'.*(\[(?P<macro>\w+)(?P<kwargs>\s\w+\:.+)*\]).*', re.IGNORECASE)
KWARG_RE = re.compile(r'([^ |:]+):([^ |$]+)', re.IGNORECASE) KWARG_RE = re.compile(r'\s*(?P<arg>\w+)(:(?P<value>([^\']|%s)))?' % re_sq_short, re.IGNORECASE)
from wiki.plugins.macros import settings from wiki.plugins.macros import settings
...@@ -25,6 +29,9 @@ class MacroPreprocessor(markdown.preprocessors.Preprocessor): ...@@ -25,6 +29,9 @@ class MacroPreprocessor(markdown.preprocessors.Preprocessor):
allowed_methods = settings.METHODS allowed_methods = settings.METHODS
def run(self, lines): def run(self, lines):
# Look at all those indentations.
# That's insane, let's get a helper library
# Please note that this pattern is also in plugins.images
new_text = [] new_text = []
for line in lines: for line in lines:
m = MACRO_RE.match(line) m = MACRO_RE.match(line)
...@@ -33,8 +40,21 @@ class MacroPreprocessor(markdown.preprocessors.Preprocessor): ...@@ -33,8 +40,21 @@ class MacroPreprocessor(markdown.preprocessors.Preprocessor):
if macro in MacroPreprocessor.allowed_methods: if macro in MacroPreprocessor.allowed_methods:
kwargs = m.group('kwargs') kwargs = m.group('kwargs')
if kwargs: if kwargs:
kwargs = eval('{' + KWARG_RE.sub(r'"\1":"\2",', kwargs) + '}') kwargs_dict = {}
line = getattr(self, macro)(**kwargs) for kwarg in KWARG_RE.finditer(kwargs):
arg = kwarg.group('arg')
value = kwarg.group('value')
if value is None:
value = True
if isinstance(value, basestring):
# If value is enclosed with ': Remove and remove escape sequences
if value.startswith(u"'") and len(value) > 2:
value = value[1:-1]
value = value.replace(u"\\\\", u"¤KEEPME¤")
value = value.replace(u"\\", u"")
value = value.replace(u"¤KEEPME¤", u"\\")
kwargs_dict[arg] = value
line = getattr(self, macro)(**kwargs_dict)
else: else:
line = getattr(self, macro)() line = getattr(self, macro)()
if not line is None: if not line is None:
......
wiki/plugins/macros/settings.py
# -*- coding: utf-8 -*-
from django.conf import settings as django_settings from django.conf import settings as django_settings
SLUG = 'macros' SLUG = 'macros'
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment