This file is indexed.

/usr/share/pyshared/MoinMoin/action/backup.py is in python-moinmoin 1.9.3-1ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# -*- coding: iso-8859-1 -*-
"""
    MoinMoin - download a backup via http.

    Triggering backup action will check if you are authorized to do a backup
    and if yes, just send a <siteid>-<date>--<time>.tar.<format> to you.
    What exactly is contained in your backup depends on your wiki's
    configuration - please make sure you have everything you need BEFORE you
    really need it.

    Note: there is no restore support, you need somebody having access to your
          wiki installation via the server's file system, knowing about tar
          and restoring your data CAREFULLY (AKA "the server admin").

    @copyright: 2005-2008 by MoinMoin:ThomasWaldmann
    @license: GNU GPL, see COPYING for details.
"""

import os, re, time

from MoinMoin import wikiutil
from MoinMoin.support import tarfile


def addFiles(path, tar, exclude_func):
    """ Add files in path to tar """
    for root, dirs, files in os.walk(path):
        files.sort() # sorted page revs may compress better
        for name in files:
            path = os.path.join(root, name)
            if exclude_func(path):
                continue
            tar.add(path)


def sendBackup(request):
    """ Send compressed tar file """
    dateStamp = time.strftime("%Y-%m-%d--%H-%M-%S-UTC", time.gmtime())
    filename = "%s-%s.tar.%s" % (request.cfg.siteid, dateStamp, request.cfg.backup_compression)
    request.headers['Content-Type'] = 'application/octet-stream'
    request.headers['Content-Disposition'] = 'inline; filename="%s"' % filename
    tar = tarfile.open(fileobj=request, mode="w|%s" % request.cfg.backup_compression)
    # allow GNU tar's longer file/pathnames
    tar.posix = False
    for path in request.cfg.backup_include:
        addFiles(path, tar, request.cfg.backup_exclude)
    tar.close()


def sendBackupForm(request, pagename):
    _ = request.getText
    request.setContentLanguage(request.lang)
    title = _('Wiki Backup')
    request.theme.send_title(title, pagename=pagename)
    request.write(request.formatter.startContent("content"))

    request.write(_("""= Downloading a backup =

Please note:
 * Store backups in a safe and secure place - they contain sensitive information.
 * Make sure your wiki configuration backup_* values are correct and complete.
 * Make sure the backup file you get contains everything you need in case of problems.
 * Make sure it is downloaded without problems.

To get a backup, just click here:""", wiki=True))

    request.write("""
<form action="%(baseurl)s/%(pagename)s" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="backup">
<input type="hidden" name="do" value="backup">
<input type="submit" value="%(backup_button)s">
</form>
""" % {
    'baseurl': request.script_root,
    'pagename': wikiutil.quoteWikinameURL(pagename),
    'backup_button': _('Backup'),
})

    request.write(request.formatter.endContent())
    request.theme.send_footer(pagename)
    request.theme.send_closing_html()

# NOTE: consider using ActionBase.render_msg instead of this function.
def sendMsg(request, pagename, msg, msgtype):
    """
    @param msg: Message to show. Should be escaped.
    """
    from MoinMoin import Page
    request.theme.add_msg(msg, msgtype)
    return Page.Page(request, pagename).send_page()


def backupAllowed(request):
    """ Return True if backup is allowed """
    action = __name__.split('.')[-1]
    user = request.user
    return user.valid and user.name in request.cfg.backup_users


def execute(pagename, request):
    _ = request.getText
    if not backupAllowed(request):
        return sendMsg(request, pagename,
                       msg=_('You are not allowed to do remote backup.'), msgtype="error")

    dowhat = request.form.get('do')
    if dowhat == 'backup':
        sendBackup(request)
    elif dowhat is None:
        sendBackupForm(request, pagename)
    else:
        return sendMsg(request, pagename,
                       msg=_('Unknown backup subaction: %s.') % wikiutil.escape(dowhat), msgtype="error")