X-Git-Url: https://git.plutz.net/?a=blobdiff_plain;f=handlers%2F20_attachment.sh;h=1cf4c53eb2f92b5027068447358a7167a19dd51d;hb=9422fa86d51fdaba072d04f6b0ae5d7e589a4439;hp=0e9757e78f564a45a1a6097c99ec0b08861f38d6;hpb=b86e88d2d6acd3eda7d9858539818a290db67d41;p=shellwiki diff --git a/handlers/20_attachment.sh b/handlers/20_attachment.sh index 0e9757e..1cf4c53 100755 --- a/handlers/20_attachment.sh +++ b/handlers/20_attachment.sh @@ -62,89 +62,94 @@ attachment_convert(){ esac } -if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then - tsid="$(POST session_key)"; tsid="${tsid%% *}" - attachment_delete="$(POST delete)" +case ${PATH_INFO} in + */\[attachment\]/) + tsid="$(POST session_key)"; tsid="${tsid%% *}" + attachment_delete="$(POST delete)" - if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then - . "$_EXEC/multipart.sh" - multipart_cache + if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then + . "$_EXEC/multipart.sh" + multipart_cache - # Validate session id from form to prevent CSRF - # Only validate if username is present, because no username means - # anonymous uploads are allowed via acl and cgilite/session.sh does not - # validate anonymous sessions from a multipart/formdata - if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then + # Validate session id from form to prevent CSRF + # Only validate if username is present, because no username means + # anonymous uploads are allowed via acl and cgilite/session.sh does not + # validate anonymous sessions from a multipart/formdata + if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then + rm -- "$multipart_cachefile" + printf 'Refresh: %i\r\n' 4 + theme_error 403 + return 0 + fi + + mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/" + n=1; while filename=$(multipart_filename "file" "$n"); do + filename="$(printf %s "$filename" |tr /\\0 __)" + multipart "file" "$n" >"$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$filename" + n=$((n + 1)) + done rm -- "$multipart_cachefile" + REDIRECT "${_BASE}${PATH_INFO}" + elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then + printf 'Refresh: %i\r\n' 4 + theme_error 403 + head -c $((CONTENT_LENGTH)) >/dev/null + return 0 + elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then + rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete" + REDIRECT "${_BASE}${PATH_INFO}" + elif [ "$attachment_delete" ]; then printf 'Refresh: %i\r\n' 4 theme_error 403 return 0 + elif acl_read "${PATH_INFO%\[attachment\]/}"; then + theme_attachments "${PATH_INFO%\[attachment\]/}" + return 0 + else + theme_error 404 + return 0 fi + ;; - mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/" - n=1; while filename=$(multipart_filename "file" "$n"); do - filename="$(printf %s "$filename" |tr /\\0 __)" - multipart "file" "$n" >"$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$filename" - n=$((n + 1)) - done - rm -- "$multipart_cachefile" - REDIRECT "${_BASE}${PATH_INFO}" - elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then - printf 'Refresh: %i\r\n' 4 - theme_error 403 - head -c $((CONTENT_LENGTH)) >/dev/null - return 0 - elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then - rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete" - REDIRECT "${_BASE}${PATH_INFO}" - elif [ "$attachment_delete" ]; then - printf 'Refresh: %i\r\n' 4 - theme_error 403 - return 0 - elif acl_read "${PATH_INFO%\[attachment\]/}"; then - theme_attachments "${PATH_INFO%\[attachment\]/}" - return 0 - else - theme_error 404 - return 0 - fi - -elif [ "${PATH_INFO%/\[attachment\]/*}" != "${PATH_INFO}" ]; then - attpath="${PATH_INFO%/\[attachment\]/*}/#attachments/${PATH_INFO##*/}" + */\[attachment\]/*) + attpath="${PATH_INFO%/\[attachment\]/*}/#attachments/${PATH_INFO##*/}" - if ! acl_read "${PATH_INFO%/\[attachment\]/*}"; then - theme_error 403 - return 0 - elif [ -f "$_DATA/pages/$attpath" ]; then - FILE "$_DATA/pages/$attpath" - return 0 - elif [ -f "$_EXEC/pages/$attpath" ]; then - FILE "$_EXEC/pages/$attpath" - return 0 - else - theme_error 404 - return 0 - fi -# exit 0; - -elif [ "${PATH_INFO%/}" = "${PATH_INFO}" ]; then - attpath="${PATH_INFO%/*}/#attachments/${PATH_INFO##*/}" + if ! acl_read "${PATH_INFO%/\[attachment\]/*}"; then + theme_error 403 + return 0 + elif [ -f "$_DATA/pages/$attpath" ]; then + FILE "$_DATA/pages/$attpath" + return 0 + elif [ -f "$_EXEC/pages/$attpath" ]; then + FILE "$_EXEC/pages/$attpath" + return 0 + else + theme_error 404 + return 0 + fi + ;; + */*/) + return 1 + ;; + */*) + attpath="${PATH_INFO%/*}/#attachments/${PATH_INFO##*/}" - if ! acl_read "${PATH_INFO%/*}/"; then - theme_error 403 - return 0 - elif [ -f "$_DATA/pages/$attpath" ]; then - FILE "$(attachment_convert "$_DATA/pages/$attpath")" - return 0 - elif [ -f "$_EXEC/pages/$attpath" ]; then - FILE "$(attachment_convert "$_EXEC/pages/$attpath")" - return 0 - elif [ -d "$_DATA/pages/${PATH_INFO}" -o -d "$_EXEC/pages/${PATH_INFO}" ]; then - REDIRECT "${_BASE}${PATH_INFO}/" - elif [ "${PATH_INFO%\[*\]}" = "${PATH_INFO}" ]; then - theme_error 404 - return 0 - fi -fi + if ! acl_read "${PATH_INFO%/*}/"; then + theme_error 403 + return 0 + elif [ -f "$_DATA/pages/$attpath" ]; then + FILE "$(attachment_convert "$_DATA/pages/$attpath")" + return 0 + elif [ -f "$_EXEC/pages/$attpath" ]; then + FILE "$(attachment_convert "$_EXEC/pages/$attpath")" + return 0 + elif [ -d "$_DATA/pages/${PATH_INFO}" -o -d "$_EXEC/pages/${PATH_INFO}" ]; then + REDIRECT "${_BASE}${PATH_INFO}/" + elif [ "${PATH_INFO%\[*\]}" = "${PATH_INFO}" ]; then + theme_error 404 + return 0 + fi + ;; +esac return 1