Closed matthewhughes934 closed 4 years ago
I am in progress of preparing a new moin release with werkzeug 1.0.1 - guess this should be tested after that change, whether it still happens.
How can I reproduce this?
I put some ACLs on a page, then viewed it (-> not allowed).
But I get way more html than you also also i don't see these html tag issues.
How can I reproduce this?
Hi, sorry should've included that in the issue. Let me dig up what I had.
I was just manually blacklisting my local IP:
diff --git a/MoinMoin/config/multiconfig.py b/MoinMoin/config/multiconfig.py
index 0f03cb50..3f21fa4e 100644
--- a/MoinMoin/config/multiconfig.py
+++ b/MoinMoin/config/multiconfig.py
@@ -851,7 +851,7 @@ options_no_group_name = {
'spam_leech_dos': ('Anti-Spam/Leech/DOS',
'These settings help limiting ressource usage and avoiding abuse.',
(
- ('hosts_deny', [], "List of denied IPs; if an IP ends with a dot, it denies a whole subnet (class A, B or C)"),
+ ('hosts_deny', ["127.0.0.1"], "List of denied IPs; if an IP ends with a dot, it denies a whole subnet (class A, B or C)"),
('surge_action_limits',
{# allow max. <count> <action> requests per <dt> secs
# action: (count, dt)
Then just:
$ python wikiserver.py &
$ curl localhost:8080
And a very direct approach to force surge detection:
diff --git a/MoinMoin/web/utils.py b/MoinMoin/web/utils.py
index bc18e47f..7e5433cf 100644
--- a/MoinMoin/web/utils.py
+++ b/MoinMoin/web/utils.py
@@ -52,6 +52,7 @@ def check_surge_protect(request, kick=False, action=None, username=None):
@param action: specify the action explicitly (default: request.action)
@param username: give username (for action == 'auth-name')
"""
+ raise SurgeProtection(retry_after=60)
limits = request.cfg.surge_action_limits
if not limits:
return False
Ah, ok, that both is in an earlier phase of request processing.
@matthewhughes934 please review / test #67.
as i had to look at the stuff anyway, i continued to just fix it. but you can help be reviewing it, testing it.
Behaviour
I noticed while browsing https://wiki.debian.org/ (powered by MoinMoin) that
<p>
tags would be displayed in the message for pages which are Forbidden (i.e. 403 response). Sample MoinMoin response (testing on local by blacklisting my ip):Note the escaped tags in the last line. When I started browsing the code it looks like there's a similar issue for the SurgeProtection page (tested locally by just forcing this to be raised on each page):
Cause
This appears to be caused by
MoinMoin.Support.werkzeug.exceptions.HTTPException.get_description
which escapes the exception's escape string. Note that this also wraps the description in<p></p>
tags itself.Proposed Solution
Assuming this needs addressing, the easiest solution I see is to simply strip all tags from each exception's
description
. If this is acceptable I'd happily get a PR up for it