From 883500946318196d3788d994d4a66932adf7077b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Paul=20H=C3=A4nsch?= Date: Wed, 11 May 2022 17:24:10 +0200 Subject: [PATCH] attachment deletion, acl and session validation for attachment uploading --- attachment.sh | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/attachment.sh b/attachment.sh index 43e70c5..1981973 100755 --- a/attachment.sh +++ b/attachment.sh @@ -63,10 +63,24 @@ attachment_convert(){ } if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then - . "$_EXEC/multipart.sh" + tsid="$(POST session_key)"; tsid="${tsid%% *}" + attachment_delete="$(POST delete)" if [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${PATH_INFO%\[attachment\]/}"; then + . "$_EXEC/multipart.sh" multipart_cache + + # Validate session id from form to prevent CSRF + # Only validate if username is present, because no username means + # anonymous uploads are allowed via acl and cgilite/session.sh does not + # validate anonymous sessions from a multipart/formdata + if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then + rm -- "$multipart_cachefile" + printf 'Refresh: %i\r\n' 4 + theme_403 + exit 0 + fi + mkdir -p "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/" n=1; while filename=$(multipart_filename "file" "$n"); do filename="$(printf %s "$filename" |tr /\\0 __)" @@ -76,6 +90,14 @@ if [ "${PATH_INFO%/\[attachment\]/}" != "${PATH_INFO}" ]; then rm -- "$multipart_cachefile" REDIRECT "${_BASE}${PATH_INFO}" elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then + printf 'Refresh: %i\r\n' 4 + theme_403 + head -c $((CONTENT_LENGTH)) >/dev/null + elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then + rm -- "$_DATA/pages/${PATH_INFO%/\[attachment\]/}/#attachments/$attachment_delete" + REDIRECT "${_BASE}${PATH_INFO}" + elif [ "$attachment_delete" ]; then + printf 'Refresh: %i\r\n' 4 theme_403 elif acl_read "${PATH_INFO%\[attachment\]/}"; then theme_attachments "${PATH_INFO%\[attachment\]/}" -- 2.39.2