+ tsid="$(POST session_key)"; tsid="${tsid%% *}"
+ attachment_delete="$(POST delete)"
+
+ if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then
+ . "$_EXEC/multipart.sh"
+ multipart_cache
+
+ # Validate session id from form to prevent CSRF
+ # Only validate if username is present, because no username means
+ # anonymous uploads are allowed via acl and cgilite/session.sh does not
+ # validate anonymous sessions from a multipart/formdata
+ if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then
+ rm -- "$multipart_cachefile"
+ printf 'Refresh: %i\r\n' 4
+ theme_403
+ exit 0
+ fi
+