expo/troggle
2
0
Fork 1
mirror of https://expo.survex.com/repositories/troggle/.git synced 2026-02-14 04:57:10 +00:00
Code Issues 18 Projects 3 Activity

fix _edit access loophole

Browse Source
This commit is contained in:
Philip Sargent
2023-08-25 22:08:04 +03:00
parent f2a76da7e2
commit 93397a774f
2 changed files with 53 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
core/views/expo.py
View File

@@ -379,10 +379,11 @@ def editexpopage(request, path):
o = open(filepath, "r", encoding="utf8")
html = o.read()
autogeneratedmatch = re.search(
r"\<\!--\s*(.*?(Do not edit|It is auto-generated).*?)\s*--\>", html, re.DOTALL + re.IGNORECASE
r"\<\!--\s*(.*?(Do not edit|It is auto-generated|NOEDIT).*?)\s*--\>", html, re.DOTALL + re.IGNORECASE
)
if autogeneratedmatch:
return HttpResponse(autogeneratedmatch.group(1))
message = "\tThis page is either auto-generated, and so cannot be edited,\n\t\tor it is too complex to allow users to edit it safely. \n\n\t\tA safer means of updating this page is on the programmers' to-do list."
return render(request, "errors/notice.html", {"message": message})
m = re.search(r"(.*)<head([^>]*)>(.*)</head>(.*)<body([^>]*)>(.*)</body>(.*)", html, re.DOTALL + re.IGNORECASE)
if m:
filefound = True