security: fix remote code execution vulnerability in twikidraw/anywik…

…idraw actions

We have wikiutil.taintfilename() to make user supplied filenames safe,
so that they can't contain any "special" characters like path separators, etc.
It is used at many places in moin, but wasn't used here. :|

MoinMoin/action/AttachFile.py

@@ -603,6 +603,14 @@ class ContainerItem:
     """ A storage container (multiple objects in 1 tarfile) """
 
     def __init__(self, request, pagename, containername):
+        """
+        @param pagename: a wiki page name
+        @param containername: the filename of the tar file.
+                              Make sure this is a simple filename, NOT containing any path components.
+                              Use wikiutil.taintfilename() to avoid somebody giving a container
+                              name that starts with e.g. ../../filename or you'll create a
+                              directory traversal and code execution vulnerability.
+        """
         self.request = request
         self.pagename = pagename
         self.containername = containername

MoinMoin/action/anywikidraw.py

@@ -197,6 +197,8 @@ def render(self):
 
 def execute(pagename, request):
     target = request.values.get('target')
+    target = wikiutil.taintfilename(target)
+
     awd = AnyWikiDraw(request, pagename, target)
 
     do = request.values.get('do')

MoinMoin/action/twikidraw.py

@@ -208,6 +208,8 @@ def render(self):
 
 def execute(pagename, request):
     target = request.values.get('target')
+    target = wikiutil.taintfilename(target)
+
     twd = TwikiDraw(request, pagename, target)
 
     do = request.values.get('do')