X-Git-Url: https://git.plutz.net/?a=blobdiff_plain;f=attachment.sh;h=1981973d392359604c14c6d72c3ef479c1d295d8;hb=883500946318196d3788d994d4a66932adf7077b;hp=d004b0db549954f00575810169f6a6665c9357e3;hpb=ee0162b0ee46d258908de998cfa220edb4074d96;p=shellwiki diff --git a/attachment.sh b/attachment.sh index d004b0d..1981973 100755 --- a/attachment.sh +++ b/attachment.sh @@ -17,7 +17,7 @@ attachment_convert(){ elif [ -f "$cachepath" ]; then printf %s "$attpath" return 0 - elif ! touch "$cachepath"; then + elif ! mkdir -p -- "${cachepath%/*}" && touch "$cachepath"; then printf %s "$attpath" return 0 fi @@ -39,7 +39,8 @@ attachment_convert(){ res=$(ffprobe -show_entries stream=width "$attpath" 2>&-) res="${res#*width=}" res="${res%%${BR}*}" if [ "$res" -gt 1280 ]; then - ( ffmpeg -y -nostdin -i "$attpath" \ + ( exec >&- 2>&1; + ffmpeg -y -nostdin -i "$attpath" \ -c:v libvpx -vf scale=1280:-2 -crf 28 -b:v 0 \ -c:a libvorbis -q:a 6 \ "${cachepath%.*}.tmp.webm" \ @@ -47,7 +48,8 @@ attachment_convert(){ & ) & else - ( ffmpeg -y -nostdin -i "$attpath" \ + ( exec >&- 2>&1; + ffmpeg -y -nostdin -i "$attpath" \ -c:v libvpx -crf 28 -b:v 0 \ -c:a libvorbis -q:a 6 \ "${cachepath%.*}.tmp.webm" \ @@ -61,18 +63,54 @@ attachment_convert(){ } if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then - . "$_EXEC/multipart.sh" - if multipart_cache; then - debug 'Multipart "file":' - multipart file |hd |debug >/dev/null + tsid="$(POST session_key)"; tsid="${tsid%% *}" + attachment_delete="$(POST delete)" + + if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then + . "$_EXEC/multipart.sh" + multipart_cache + + # Validate session id from form to prevent CSRF + # Only validate if username is present, because no username means + # anonymous uploads are allowed via acl and cgilite/session.sh does not + # validate anonymous sessions from a multipart/formdata + if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then + rm -- "$multipart_cachefile" + printf 'Refresh: %i\r\n' 4 + theme_403 + exit 0 + fi + + mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/" + n=1; while filename=$(multipart_filename "file" "$n"); do + filename="$(printf %s "$filename" |tr /\\0 __)" + multipart "file" "$n" >"$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$filename" + n=$((n + 1)) + done + rm -- "$multipart_cachefile" REDIRECT "${_BASE}${PATH_INFO}" - else + elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then + printf 'Refresh: %i\r\n' 4 + theme_403 + head -c $((CONTENT_LENGTH)) >/dev/null + elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then + rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete" + REDIRECT "${_BASE}${PATH_INFO}" + elif [ "$attachment_delete" ]; then + printf 'Refresh: %i\r\n' 4 + theme_403 + elif acl_read "${PATH_INFO%\[attachment\]/}"; then theme_attachments "${PATH_INFO%\[attachment\]/}" + else + theme_404 fi elif [ "${PATH_INFO%/\[attachment\]/*}" != "${PATH_INFO}" ]; then attpath="${PATH_INFO%/\[attachment\]/*}/#attachments/${PATH_INFO##*/}" - if [ -f "$_DATA/pages/$attpath" ]; then + + if ! acl_read "${PATH_INFO%/\[attachment\]/*}"; then + theme_403 + elif [ -f "$_DATA/pages/$attpath" ]; then FILE "$_DATA/pages/$attpath" elif [ -f "$_EXEC/pages/$attpath" ]; then FILE "$_EXEC/pages/$attpath" @@ -83,12 +121,17 @@ elif [ "${PATH_INFO%/\[attachment\]/*}" != "${PATH_INFO}" ]; then elif [ "${PATH_INFO%/}" = "${PATH_INFO}" ]; then attpath="${PATH_INFO%/*}/#attachments/${PATH_INFO##*/}" - if [ -f "$_DATA/pages/$attpath" ]; then + + if ! acl_read "${PATH_INFO%/*}/"; then + theme_403 + elif [ -f "$_DATA/pages/$attpath" ]; then FILE "$(attachment_convert "$_DATA/pages/$attpath")" elif [ -f "$_EXEC/pages/$attpath" ]; then FILE "$(attachment_convert "$_EXEC/pages/$attpath")" elif [ -d "$_DATA/pages/${PATH_INFO}" -o -d "$_EXEC/pages/${PATH_INFO}" ]; then REDIRECT "${_BASE}${PATH_INFO}/" + else + theme_404 fi exit 0