+ tsid="$(POST session_key)"; tsid="${tsid%% *}"
+ attachment_delete="$(POST delete)"
+
+ if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then
+ . "$_EXEC/multipart.sh"
+ multipart_cache
+
+ # Validate session id from form to prevent CSRF
+ # Only validate if username is present, because no username means
+ # anonymous uploads are allowed via acl and cgilite/session.sh does not
+ # validate anonymous sessions from a multipart/formdata
+ if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then
+ rm -- "$multipart_cachefile"
+ printf 'Refresh: %i\r\n' 4
+ theme_403
+ exit 0
+ fi
+
+ mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/"
+ n=1; while filename=$(multipart_filename "file" "$n"); do
+ filename="$(printf %s "$filename" |tr /\\0 __)"
+ multipart "file" "$n" >"$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$filename"
+ n=$((n + 1))
+ done
+ rm -- "$multipart_cachefile"
+ REDIRECT "${_BASE}${PATH_INFO}"
+ elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then
+ printf 'Refresh: %i\r\n' 4
+ theme_403
+ head -c $((CONTENT_LENGTH)) >/dev/null
+ elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then
+ rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete"
+ REDIRECT "${_BASE}${PATH_INFO}"
+ elif [ "$attachment_delete" ]; then
+ printf 'Refresh: %i\r\n' 4
+ theme_403
+ elif acl_read "${PATH_INFO%\[attachment\]/}"; then
+ theme_attachments "${PATH_INFO%\[attachment\]/}"
+ else
+ theme_404
+ fi