X-Git-Url: https://git.plutz.net/?a=blobdiff_plain;f=attachment.sh;h=1981973d392359604c14c6d72c3ef479c1d295d8;hb=883500946318196d3788d994d4a66932adf7077b;hp=89b90ae2579a04dea091a01ac07de16f80454bb5;hpb=1ab03a82dd44b590f696045747068aea373d5bf8;p=shellwiki diff --git a/attachment.sh b/attachment.sh index 89b90ae..1981973 100755 --- a/attachment.sh +++ b/attachment.sh @@ -39,7 +39,8 @@ attachment_convert(){ res=$(ffprobe -show_entries stream=width "$attpath" 2>&-) res="${res#*width=}" res="${res%%${BR}*}" if [ "$res" -gt 1280 ]; then - ( ffmpeg -y -nostdin -i "$attpath" \ + ( exec >&- 2>&1; + ffmpeg -y -nostdin -i "$attpath" \ -c:v libvpx -vf scale=1280:-2 -crf 28 -b:v 0 \ -c:a libvorbis -q:a 6 \ "${cachepath%.*}.tmp.webm" \ @@ -47,7 +48,8 @@ attachment_convert(){ & ) & else - ( ffmpeg -y -nostdin -i "$attpath" \ + ( exec >&- 2>&1; + ffmpeg -y -nostdin -i "$attpath" \ -c:v libvpx -crf 28 -b:v 0 \ -c:a libvorbis -q:a 6 \ "${cachepath%.*}.tmp.webm" \ @@ -61,8 +63,24 @@ attachment_convert(){ } if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then - . "$_EXEC/multipart.sh" - if multipart_cache; then + tsid="$(POST session_key)"; tsid="${tsid%% *}" + attachment_delete="$(POST delete)" + + if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then + . "$_EXEC/multipart.sh" + multipart_cache + + # Validate session id from form to prevent CSRF + # Only validate if username is present, because no username means + # anonymous uploads are allowed via acl and cgilite/session.sh does not + # validate anonymous sessions from a multipart/formdata + if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then + rm -- "$multipart_cachefile" + printf 'Refresh: %i\r\n' 4 + theme_403 + exit 0 + fi + mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/" n=1; while filename=$(multipart_filename "file" "$n"); do filename="$(printf %s "$filename" |tr /\\0 __)" @@ -71,13 +89,28 @@ if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then done rm -- "$multipart_cachefile" REDIRECT "${_BASE}${PATH_INFO}" - else + elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then + printf 'Refresh: %i\r\n' 4 + theme_403 + head -c $((CONTENT_LENGTH)) >/dev/null + elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then + rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete" + REDIRECT "${_BASE}${PATH_INFO}" + elif [ "$attachment_delete" ]; then + printf 'Refresh: %i\r\n' 4 + theme_403 + elif acl_read "${PATH_INFO%\[attachment\]/}"; then theme_attachments "${PATH_INFO%\[attachment\]/}" + else + theme_404 fi elif [ "${PATH_INFO%/\[attachment\]/*}" != "${PATH_INFO}" ]; then attpath="${PATH_INFO%/\[attachment\]/*}/#attachments/${PATH_INFO##*/}" - if [ -f "$_DATA/pages/$attpath" ]; then + + if ! acl_read "${PATH_INFO%/\[attachment\]/*}"; then + theme_403 + elif [ -f "$_DATA/pages/$attpath" ]; then FILE "$_DATA/pages/$attpath" elif [ -f "$_EXEC/pages/$attpath" ]; then FILE "$_EXEC/pages/$attpath" @@ -88,12 +121,17 @@ elif [ "${PATH_INFO%/\[attachment\]/*}" != "${PATH_INFO}" ]; then elif [ "${PATH_INFO%/}" = "${PATH_INFO}" ]; then attpath="${PATH_INFO%/*}/#attachments/${PATH_INFO##*/}" - if [ -f "$_DATA/pages/$attpath" ]; then + + if ! acl_read "${PATH_INFO%/*}/"; then + theme_403 + elif [ -f "$_DATA/pages/$attpath" ]; then FILE "$(attachment_convert "$_DATA/pages/$attpath")" elif [ -f "$_EXEC/pages/$attpath" ]; then FILE "$(attachment_convert "$_EXEC/pages/$attpath")" elif [ -d "$_DATA/pages/${PATH_INFO}" -o -d "$_EXEC/pages/${PATH_INFO}" ]; then REDIRECT "${_BASE}${PATH_INFO}/" + else + theme_404 fi exit 0