X-Git-Url: https://git.plutz.net/?a=blobdiff_plain;f=handlers%2F20_attachment.sh;h=1e0719037ee0d4642601abb1141ad456dbe64d2b;hb=b0ccec5d3d972350accfc64149bf724c29bf577a;hp=1cf4c53eb2f92b5027068447358a7167a19dd51d;hpb=e80c289e4e82f70c9e7426c6c1d3c71c8a42046e;p=shellwiki diff --git a/handlers/20_attachment.sh b/handlers/20_attachment.sh index 1cf4c53..1e07190 100755 --- a/handlers/20_attachment.sh +++ b/handlers/20_attachment.sh @@ -1,5 +1,9 @@ #!/bin/sh +. "$_EXEC/cgilite/file.sh" + +# REV_ATTACHMENTS="${REV_ATTACHMENTS:-false}" + attachment_convert(){ local attpath="$1" local cachepath="${attpath%/#attachments/*}/#cache/${attpath#*/#attachments/}" @@ -59,54 +63,37 @@ attachment_convert(){ printf %s "$attpath" return 0 ;; + *) printf "$attpath";; esac } case ${PATH_INFO} in */\[attachment\]/) - tsid="$(POST session_key)"; tsid="${tsid%% *}" - attachment_delete="$(POST delete)" - - if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then - . "$_EXEC/multipart.sh" - multipart_cache - - # Validate session id from form to prevent CSRF - # Only validate if username is present, because no username means - # anonymous uploads are allowed via acl and cgilite/session.sh does not - # validate anonymous sessions from a multipart/formdata - if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then - rm -- "$multipart_cachefile" - printf 'Refresh: %i\r\n' 4 - theme_error 403 - return 0 - fi + # no trailing slash + REDIRECT "${_BASE}${PATH_INFO%/}" + ;; + */*/) + # attached files never end on / + return 1 + ;; + */\[attachment\]) + # show attachment page + page="${PATH_INFO%\[attachment\]}" - mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/" - n=1; while filename=$(multipart_filename "file" "$n"); do - filename="$(printf %s "$filename" |tr /\\0 __)" - multipart "file" "$n" >"$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$filename" - n=$((n + 1)) - done - rm -- "$multipart_cachefile" - REDIRECT "${_BASE}${PATH_INFO}" + if [ ! -d "$_DATA/pages${page}" -a ! -d "$_DATA/pages${page}" ]; then + # base page does not exist + return 1 elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then - printf 'Refresh: %i\r\n' 4 + # pass uploads to next handler + return 1 + elif [ "$(POST action)" ]; then + # pass edits to next handler + return 1 + elif ! acl_read "${page}"; then theme_error 403 - head -c $((CONTENT_LENGTH)) >/dev/null - return 0 - elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then - rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete" - REDIRECT "${_BASE}${PATH_INFO}" - elif [ "$attachment_delete" ]; then - printf 'Refresh: %i\r\n' 4 - theme_error 403 - return 0 - elif acl_read "${PATH_INFO%\[attachment\]/}"; then - theme_attachments "${PATH_INFO%\[attachment\]/}" return 0 else - theme_error 404 + theme_attachments "${page}" return 0 fi ;; @@ -114,7 +101,9 @@ case ${PATH_INFO} in */\[attachment\]/*) attpath="${PATH_INFO%/\[attachment\]/*}/#attachments/${PATH_INFO##*/}" - if ! acl_read "${PATH_INFO%/\[attachment\]/*}"; then + if [ ! -f "$_DATA/pages/$attpath" -a ! -f "$_EXEC/pages/$attpath" ]; then + return 1 + elif ! acl_read "${PATH_INFO%/\[attachment\]/*}"; then theme_error 403 return 0 elif [ -f "$_DATA/pages/$attpath" ]; then @@ -123,18 +112,14 @@ case ${PATH_INFO} in elif [ -f "$_EXEC/pages/$attpath" ]; then FILE "$_EXEC/pages/$attpath" return 0 - else - theme_error 404 - return 0 fi ;; - */*/) - return 1 - ;; */*) attpath="${PATH_INFO%/*}/#attachments/${PATH_INFO##*/}" - if ! acl_read "${PATH_INFO%/*}/"; then + if [ ! -f "$_DATA/pages/$attpath" -a ! -f "$_EXEC/pages/$attpath" ]; then + return 1 + elif ! acl_read "${PATH_INFO%/*}/"; then theme_error 403 return 0 elif [ -f "$_DATA/pages/$attpath" ]; then @@ -143,11 +128,6 @@ case ${PATH_INFO} in elif [ -f "$_EXEC/pages/$attpath" ]; then FILE "$(attachment_convert "$_EXEC/pages/$attpath")" return 0 - elif [ -d "$_DATA/pages/${PATH_INFO}" -o -d "$_EXEC/pages/${PATH_INFO}" ]; then - REDIRECT "${_BASE}${PATH_INFO}/" - elif [ "${PATH_INFO%\[*\]}" = "${PATH_INFO}" ]; then - theme_error 404 - return 0 fi ;; esac