+++ /dev/null
-#!/bin/sh
-
-REV_ATTACHMENTS="${REV_ATTACHMENTS:-false}"
-
-if [ "${PATH_INFO##*/\[attachment\]}" ]; then
- # Skip any action not happening on attachment page
- return 1
-fi
-
-page="${PATH_INFO%\[attachment\]}"
-action="$(POST action)"
-
-tsid="$(POST session_key)"; tsid="${tsid%% *}"
-
-
-if ! acl_write "${PATH_INFO%\[attachment\]}"; then
- # Deny access to write protected pages
- printf 'Refresh: %i\r\n' 4
- theme_error 403
- [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] \
- && head -c $((CONTENT_LENGTH)) >/dev/null
- return 0
-
-elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then
- . "$_EXEC/multipart.sh"
- multipart_cache
-
- # Use positional parameters for filename collection
- # The positional array is the only array available
- # in plain posix shells, see the documentation for
- # your shells "set" builtin for a hint to this
- # obscure use mode
- set --
-
- # Validate session id from form to prevent CSRF
- # Only validate if username is present, because no username means
- # anonymous uploads are allowed via acl and cgilite/session.sh does not
- # validate anonymous sessions from a multipart/formdata
- if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then
- rm -- "$multipart_cachefile"
- printf 'Refresh: %i\r\n' 4
- theme_error 403
- return 0
- fi
-
- mkdir -p "$_DATA/pages${page}#attachments/"
- n=1; while filename=$(multipart_filename "file" "$n"); do
- filename="$(printf %s "$filename" |tr /\\0 __)"
- set -- "$@" "pages${page}#attachments/$filename"
- multipart "file" "$n" >"$_DATA/pages${page}#attachments/$filename"
- n=$((n + 1))
- done
- rm -- "$multipart_cachefile"
- if [ "$REV_ATTACHMENTS" = true ]; then
- git -C "$_DATA" add -- "$@"
- git -C "$_DATA" commit -qm "Attachments to # $page # uploaded by @ $USER_NAME @" -- "$@"
- fi
- REDIRECT "${_BASE}${PATH_INFO}"
-
-elif [ "$SESSION_ID" != "$tsid" ]; then
- # Match session key from POST-Data to prevent CSRF:
- # For authenticated users the POST session_key must match
- # the session key used for authentication (usually from a
- # cookie). This should ensure that POST requests were not
- # triggered by malicious 3rd party sites freeriding on an
- # existing user authentication.
- # For pages that are writable by anonymous users, this is
- # not reliable.
-
- printf 'Refresh: %i\r\n' 4
- theme_error 403
- return 0
-fi
-
-if [ "$action" = delete -o "$action" = move ]; then
- set --
- n="$(POST_COUNT select)"; while [ $n -gt 0 ]; do
- select="$(POST select $n |PATH)"
- set -- "$@" "pages${page}#attachments/${select##*/}"
- n=$((n - 1))
- done
-fi
-
-if [ "$action" = delete ]; then
- if [ "$REV_ATTACHMENTS" = true ]; then
- git -C "$_DATA" rm -- "$@"
- git -C "$_DATA" commit -qm \
- "Attachment to # $page # deleted by @ $USER_NAME @" -- "$@"
- else
- ( cd "$_DATA" && rm -- "$@"; )
- fi
- REDIRECT "${_BASE}${PATH_INFO}"
-
-elif [ "$action" = move ]; then
- moveto="$(POST moveto |PATH)"
-
- if ! acl_write "$moveto"; then
- printf 'Refresh: %i\r\n' 4
- theme_error 403
- return 0
-
- elif [ ! -d "${_DATA}/pages${moveto}" ]; then
- printf 'Refresh: %i\r\n' 4
- theme_error 404
- return 0
-
- elif [ "$REV_ATTACHMENTS" = true ]; then
- mkdir -p -- "${_DATA}/pages${moveto}/#attachments"
- git -C "$_DATA" mv -f -- "$@" "pages${moveto}/#attachments/"
-
- cnt=$#; while [ $cnt -gt 0 ]; do
- set -- "$@" "$1" "pages/${moveto}/#attachments/${1##*/}"
- cnt=$((cnt - 1)); shift 1
- done
-
- git -C "$_DATA" commit -qm \
- "Attachment moved from # $page # to # $moveto # by @ $USER_NAME @" -- "$@"
- else
- mkdir -p -- "${_DATA}/pages${moveto}/#attachments"
- ( cd "$_DATA" && mv -- "$@" "pages${moveto}/#attachments/"; )
- fi
- REDIRECT "${_BASE}${PATH_INFO}"
-
-elif [ "$action" = rename ]; then
- fail='' success=''
- set --
-
- for file in "${_DATA}/pages${page}#attachments"/*; do
- rename="$(POST rename_"$(slopecode "${file##*/}" |sed 's;=;%3D;g')")"
-
- if [ "$REV_ATTACHMENTS" = true -a \
- -f "${file}" -a \
- "$rename" -a \
- "${rename%/*}" = "${rename}" -a \
- ! -e "${_DATA}/pages${page}#attachments/${rename}" ] \
- && git -C "$_DATA" mv -- "pages${page}#attachments/${file##*/}" "pages${page}#attachments/${rename}"; then
- success="${success}$(HTML "${file##*/}/${rename}")${BR}"
- set -- "$@" "pages${page}#attachments/${file##*/}" "pages${page}#attachments/${rename}"
-
- elif [ "$REV_ATTACHMENTS" = true -a "${rename}" ]; then
- fail="${fail}$(HTML "${file##*/}/${rename}")${BR}"
-
- elif [ -f "${file}" -a \
- "$rename" -a \
- "${rename%/*}" = "${rename}" -a \
- ! -e "${_DATA}/pages${page}#attachments/${rename}" ] \
- && mv -- "${file}" "${_DATA}/pages${page}#attachments/${rename}"; then
- success="${success}$(HTML "${file##*/}/${rename}")${BR}"
-
- elif [ "${rename}" ]; then
- fail="${fail}$(HTML "${file##*/}/${rename}")${BR}"
-
- fi
- done
-
- if [ "$REV_ATTACHMENTS" = true -a $# -gt 2 ]; then
- git -C "$_DATA" commit -qm \
- "Attachment files renamed by @ $USER_NAME @" -- "$@"
- elif [ "$REV_ATTACHMENTS" = true -a $# -eq 2 ]; then
- git -C "$_DATA" commit -qm \
- "Attachment file renamed by @ $USER_NAME @" -- "$@"
- fi
-
- if [ "$success" -a "$fail" ]; then
- printf "%s\r\n" "Status: 500 Internal Server Error"
- theme_page - "Attachment rename" <<-EOF
- <h1 class="rename partial">Some files could not be renamed</h1>
- <h2 class="rename success">Successfully renamed:</h2>
- <ul class="rename success">
- $(printf %s "$success" |while read html; do
- printf '<li><span class=from>%s</span> -> <span class=to>%s</span></li>' \
- "${html%%/*}" "${html##*/}"
- done)
- </ul>
- <h2 class="rename fail">Errors:</h2>
- <ul class="rename fail">
- $(printf %s "$fail" |while read html; do
- printf '<li><span class=from>%s</span> -> <span class=to>%s</span></li>' \
- "${html%%/*}" "${html##*/}"
- done)
- </ul>
- <a class="button rename fail" href="[attachment]">OK</a>
- EOF
- exit 0
-
- elif [ "$fail" ]; then
- printf "%s\r\n" "Status: 500 Internal Server Error"
- theme_page - "Attachment rename" <<-EOF
- <h1 class="rename fail">Files could not be renamed</h1>
- <ul class="rename fail">
- $(printf %s "$fail" |while read html; do
- printf '<li><span class=from>%s</span> -> <span class=to>%s</span></li>' \
- "${html%%/*}" "${html##*/}"
- done)
- </ul>
- <a class="button rename fail" href="[attachment]">OK</a>
- EOF
- exit 0
-
- elif [ "$success" ]; then
- printf 'Refresh: %i\r\n' 4
- theme_page - "Attachment rename" <<-EOF
- <h1 class="rename success">Files were renamed</h1>
- <ul class="rename success">
- $(printf %s "$success" |while read html; do
- printf '<li><span class=from>%s</span> -> <span class=to>%s</span></li>' \
- "${html%%/*}" "${html##*/}"
- done)
- </ul>
- <a class="button rename success" href="[attachment]">OK</a>
- EOF
- exit 0
-
- else
- REDIRECT "${_BASE}${PATH_INFO}"
-
- fi
-fi
-
-return 1