diff options
| author | Philip Sargent <philip.sargent@gmail.com> | 2023-08-25 22:08:04 +0300 |
|---|---|---|
| committer | Philip Sargent <philip.sargent@gmail.com> | 2023-08-25 22:08:04 +0300 |
| commit | 93397a774fc5cd1aceec0b4329c8f96c708559a5 (patch) | |
| tree | 907b49ba015741bbb782d3be29beff0de1433be4 /core/views/expo.py | |
| parent | f2a76da7e260530a798fafe7d6132d63ca6e90b3 (diff) | |
| download | troggle-93397a774fc5cd1aceec0b4329c8f96c708559a5.tar.gz troggle-93397a774fc5cd1aceec0b4329c8f96c708559a5.tar.bz2 troggle-93397a774fc5cd1aceec0b4329c8f96c708559a5.zip | |
fix _edit access loophole
Diffstat (limited to 'core/views/expo.py')
| -rw-r--r-- | core/views/expo.py | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/core/views/expo.py b/core/views/expo.py index 3e36862..900ca32 100644 --- a/core/views/expo.py +++ b/core/views/expo.py @@ -379,10 +379,11 @@ def editexpopage(request, path): o = open(filepath, "r", encoding="utf8") html = o.read() autogeneratedmatch = re.search( - r"\<\!--\s*(.*?(Do not edit|It is auto-generated).*?)\s*--\>", html, re.DOTALL + re.IGNORECASE + r"\<\!--\s*(.*?(Do not edit|It is auto-generated|NOEDIT).*?)\s*--\>", html, re.DOTALL + re.IGNORECASE ) if autogeneratedmatch: - return HttpResponse(autogeneratedmatch.group(1)) + message = "\tThis page is either auto-generated, and so cannot be edited,\n\t\tor it is too complex to allow users to edit it safely. \n\n\t\tA safer means of updating this page is on the programmers' to-do list." + return render(request, "errors/notice.html", {"message": message}) m = re.search(r"(.*)<head([^>]*)>(.*)</head>(.*)<body([^>]*)>(.*)</body>(.*)", html, re.DOTALL + re.IGNORECASE) if m: filefound = True |