attachment deletion, acl and session validation for attachment uploading

diff --git a/attachment.sh b/attachment.sh
index 43e70c545239385c2277293a3e17a7b0f8743c1b..1981973d392359604c14c6d72c3ef479c1d295d8 100755 (executable)
--- a/attachment.sh
+++ b/attachment.sh
@@ -63,10 +63,24 @@ attachment_convert(){
 }
 
 if [ "${PATH_INFO%/\[attachment\]/}"  != "${PATH_INFO}" ]; then
-  . "$_EXEC/multipart.sh"
+  tsid="$(POST session_key)"; tsid="${tsid%% *}"
+  attachment_delete="$(POST delete)"
 
   if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then
+    . "$_EXEC/multipart.sh"
     multipart_cache
+
+    # Validate session id from form to prevent CSRF
+    # Only validate if username is present, because no username means
+    # anonymous uploads are allowed via acl and cgilite/session.sh does not
+    # validate anonymous sessions from a multipart/formdata
+    if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then
+      rm -- "$multipart_cachefile"
+      printf 'Refresh: %i\r\n' 4
+      theme_403
+      exit 0
+    fi
+
     mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/"
     n=1; while filename=$(multipart_filename "file" "$n"); do
       filename="$(printf %s "$filename" |tr /\\0 __)"
@@ -76,6 +90,14 @@ if [ "${PATH_INFO%/\[attachment\]/}"  != "${PATH_INFO}" ]; then
     rm -- "$multipart_cachefile"
     REDIRECT "${_BASE}${PATH_INFO}"
   elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then
+    printf 'Refresh: %i\r\n' 4
+    theme_403
+    head -c $((CONTENT_LENGTH)) >/dev/null
+  elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then
+    rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete"
+    REDIRECT "${_BASE}${PATH_INFO}"
+  elif [ "$attachment_delete" ]; then
+    printf 'Refresh: %i\r\n' 4
     theme_403
   elif acl_read "${PATH_INFO%\[attachment\]/}"; then
     theme_attachments "${PATH_INFO%\[attachment\]/}"