elif [ -f "$cachepath" ]; then
printf %s "$attpath"
return 0
- elif ! touch "$cachepath"; then
+ elif ! mkdir -p -- "${cachepath%/*}" && touch "$cachepath"; then
printf %s "$attpath"
return 0
fi
res=$(ffprobe -show_entries stream=width "$attpath" 2>&-)
res="${res#*width=}" res="${res%%${BR}*}"
if [ "$res" -gt 1280 ]; then
- ( ffmpeg -y -nostdin -i "$attpath" \
+ ( exec >&- 2>&1;
+ ffmpeg -y -nostdin -i "$attpath" \
-c:v libvpx -vf scale=1280:-2 -crf 28 -b:v 0 \
-c:a libvorbis -q:a 6 \
"${cachepath%.*}.tmp.webm" \
& ) &
else
- ( ffmpeg -y -nostdin -i "$attpath" \
+ ( exec >&- 2>&1;
+ ffmpeg -y -nostdin -i "$attpath" \
-c:v libvpx -crf 28 -b:v 0 \
-c:a libvorbis -q:a 6 \
"${cachepath%.*}.tmp.webm" \
}
if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then
- theme_attachments "${PATH_INFO%\[attachment\]/}"
+ tsid="$(POST session_key)"; tsid="${tsid%% *}"
+ attachment_delete="$(POST delete)"
+
+ if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then
+ . "$_EXEC/multipart.sh"
+ multipart_cache
+
+ # Validate session id from form to prevent CSRF
+ # Only validate if username is present, because no username means
+ # anonymous uploads are allowed via acl and cgilite/session.sh does not
+ # validate anonymous sessions from a multipart/formdata
+ if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then
+ rm -- "$multipart_cachefile"
+ printf 'Refresh: %i\r\n' 4
+ theme_403
+ exit 0
+ fi
+
+ mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/"
+ n=1; while filename=$(multipart_filename "file" "$n"); do
+ filename="$(printf %s "$filename" |tr /\\0 __)"
+ multipart "file" "$n" >"$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$filename"
+ n=$((n + 1))
+ done
+ rm -- "$multipart_cachefile"
+ REDIRECT "${_BASE}${PATH_INFO}"
+ elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then
+ printf 'Refresh: %i\r\n' 4
+ theme_403
+ head -c $((CONTENT_LENGTH)) >/dev/null
+ elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then
+ rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete"
+ REDIRECT "${_BASE}${PATH_INFO}"
+ elif [ "$attachment_delete" ]; then
+ printf 'Refresh: %i\r\n' 4
+ theme_403
+ elif acl_read "${PATH_INFO%\[attachment\]/}"; then
+ theme_attachments "${PATH_INFO%\[attachment\]/}"
+ else
+ theme_404
+ fi
elif [ "${PATH_INFO%/\[attachment\]/*}" != "${PATH_INFO}" ]; then
attpath="${PATH_INFO%/\[attachment\]/*}/#attachments/${PATH_INFO##*/}"
- if [ -f "$_DATA/pages/$attpath" ]; then
+
+ if ! acl_read "${PATH_INFO%/\[attachment\]/*}"; then
+ theme_403
+ elif [ -f "$_DATA/pages/$attpath" ]; then
FILE "$_DATA/pages/$attpath"
elif [ -f "$_EXEC/pages/$attpath" ]; then
FILE "$_EXEC/pages/$attpath"
elif [ "${PATH_INFO%/}" = "${PATH_INFO}" ]; then
attpath="${PATH_INFO%/*}/#attachments/${PATH_INFO##*/}"
- if [ -f "$_DATA/pages/$attpath" ]; then
+
+ if ! acl_read "${PATH_INFO%/*}/"; then
+ theme_403
+ elif [ -f "$_DATA/pages/$attpath" ]; then
FILE "$(attachment_convert "$_DATA/pages/$attpath")"
elif [ -f "$_EXEC/pages/$attpath" ]; then
FILE "$(attachment_convert "$_EXEC/pages/$attpath")"
elif [ -d "$_DATA/pages/${PATH_INFO}" -o -d "$_EXEC/pages/${PATH_INFO}" ]; then
REDIRECT "${_BASE}${PATH_INFO}/"
+ else
+ theme_404
fi
exit 0