From: Paul Hänsch Date: Wed, 11 May 2022 15:24:10 +0000 (+0200) Subject: attachment deletion, acl and session validation for attachment uploading X-Git-Url: https://git.plutz.net/?a=commitdiff_plain;h=883500946318196d3788d994d4a66932adf7077b;p=shellwiki attachment deletion, acl and session validation for attachment uploading --- diff --git a/attachment.sh b/attachment.sh index 43e70c5..1981973 100755 --- a/attachment.sh +++ b/attachment.sh @@ -63,10 +63,24 @@ attachment_convert(){ } if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then - . "$_EXEC/multipart.sh" + tsid="$(POST session_key)"; tsid="${tsid%% *}" + attachment_delete="$(POST delete)" if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then + . "$_EXEC/multipart.sh" multipart_cache + + # Validate session id from form to prevent CSRF + # Only validate if username is present, because no username means + # anonymous uploads are allowed via acl and cgilite/session.sh does not + # validate anonymous sessions from a multipart/formdata + if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then + rm -- "$multipart_cachefile" + printf 'Refresh: %i\r\n' 4 + theme_403 + exit 0 + fi + mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/" n=1; while filename=$(multipart_filename "file" "$n"); do filename="$(printf %s "$filename" |tr /\\0 __)" @@ -76,6 +90,14 @@ if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then rm -- "$multipart_cachefile" REDIRECT "${_BASE}${PATH_INFO}" elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then + printf 'Refresh: %i\r\n' 4 + theme_403 + head -c $((CONTENT_LENGTH)) >/dev/null + elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then + rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete" + REDIRECT "${_BASE}${PATH_INFO}" + elif [ "$attachment_delete" ]; then + printf 'Refresh: %i\r\n' 4 theme_403 elif acl_read "${PATH_INFO%\[attachment\]/}"; then theme_attachments "${PATH_INFO%\[attachment\]/}"