- tsid="$(POST session_key)"; tsid="${tsid%% *}"
- attachment_delete="$(POST delete)"
-
- if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then
- . "$_EXEC/multipart.sh"
- multipart_cache
-
- # Validate session id from form to prevent CSRF
- # Only validate if username is present, because no username means
- # anonymous uploads are allowed via acl and cgilite/session.sh does not
- # validate anonymous sessions from a multipart/formdata
- if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then
- rm -- "$multipart_cachefile"
- printf 'Refresh: %i\r\n' 4
- theme_error 403
- return 0
- fi
+ # no trailing slash
+ REDIRECT "${_BASE}${PATH_INFO%/}"
+ ;;
+ */*/)
+ # attached files never end on /
+ return 1
+ ;;
+ */\[attachment\])
+ # show attachment page
+ page="${PATH_INFO%\[attachment\]}"