checking input before use

[lasse@…]

Sins rename_page function does not check the content of oldname and newname you can use this plugin to much more than just renaming wiki pages..

if you have "lost" your admin rights .. this would be a quick fix..

just rename a page
from: "blahblah'; INSERT INTO permission (username, action) VALUES ('lasse', 'TRAC_ADMIN');"
to: "blahblah2"

Some filtering should probably be done on the input..

[dagomez]

Hi, I'm a bit puzzled because I tried to replicate the exploit but it doesn't seem to work in my local installation. That's supposed to be good but I'm still worried.

Traceback (most recent call last):

  File "C:\Python25\lib\site-packages\trac\web\main.py", line 406, in dispatch_request
    dispatcher.dispatch(req)
  File "C:\Python25\lib\site-packages\trac\web\main.py", line 237, in dispatch
    resp = chosen_handler.process_request(req)
  File "c:\desarrollo\wikirenameplugin\wikirename\web_ui.py", line 69, in process_request
    rename_page(self.env, src, dest, req.authname, req.remote_addr, debug=self.log.debug)
  File "c:\desarrollo\wikirenameplugin\wikirename\util.py", line 47, in rename_page
    cursor.execute(sql)
  File "C:\Python25\lib\site-packages\trac\db\util.py", line 51, in execute
    return self.cursor.execute(sql)
  File "C:\Python25\lib\site-packages\trac\db\sqlite_backend.py", line 56, in execute
    args or [])
  File "C:\Python25\lib\site-packages\trac\db\sqlite_backend.py", line 48, in _rollback_on_error
    return function(self, *args, **kwargs)
Warning: You can only execute one statement at a time.

[lasse@…]

Replying to dagomez:

hmm .. well the last line states that it wont execute more than one statement at a time, so either this is specific to sqlite (I use MySQL) or you are using a different version of trac than me.

[Ryan J Ollos]

0.10 version of the plugin is deprecated.