path sanitizing for card parameter

[confetti] / cards / update_card.sh

diff --git a/cards/update_card.sh b/cards/update_card.sh
index b16ea0549c8548fd727d23b78de7ed6e54928ac5..34db10cfb740bdf23493b1590b221c8167b3581a 100755 (executable)
--- a/cards/update_card.sh
+++ b/cards/update_card.sh
@@ -20,13 +20,25 @@
 . "$_EXEC/pdiread.sh"
 . "$_EXEC/session_lock.sh"
 
+unset filter order card action newfield
+unset cardfile attfile tempfile
+unset vcf field cnt delete_key
+
 filter="$(REF f)"
 order="$(REF o)"
 
-card="$(POST card)"
-cardfile="$_DATA/vcard/$card"
+card="$(POST card |PATH)"
+cardfile="$_DATA/vcard/${card##*/}"
 attfile="$_DATA/mappings/attendance"
 
+action="$(POST action)"
+newfield="$(POST newfield |grep -m 1 -xE '[A-Z][A-Z0-9-]*')"
+
+if printf '%s\n' "$action" |grep -qxE 'addfield [A-Z][A-Z0-9]*'; then
+  newfield="${action##* }"
+  action=addfield
+fi
+
 if ! tempfile=$(CHECK_SLOCK "$cardfile"); then
   SET_COOKIE 0 message="NO VALID FILE LOCK"
   REDIRECT "/cards/?o=${order}&f=${filter}&e=${card}"
@@ -61,18 +73,30 @@ for field in $(POST_KEYS |grep -xE '[A-Z][A-Z0-9-]*'); do
       #   ;;
       TEL)
          vcf="$(pdi_update_attrib "$vcf" TEL $cnt TYPE="$(POST teltype $cnt |grep -Exm1 'HOME|WORK|CELL|FAX')")"
-         vcf="$(pdi_update_value "$vcf" "$field" "$cnt" "$(POST "$field" "$cnt")")"
+         vcf="$(pdi_update_value "$vcf" "$field" "$cnt" "$(vcf_escape "$(POST "$field" "$cnt")")")"
          ;;
       *)
-         vcf="$(pdi_update_value "$vcf" "$field" "$cnt" "$(POST "$field" "$cnt")")"
+         vcf="$(pdi_update_value "$vcf" "$field" "$cnt" "$(vcf_escape "$(POST "$field" "$cnt")")")"
         ;;
     esac
 done; done
-[ "$(POST action)" = addfield ] && vcf="$(vcf_update_field "$vcf" "$(POST newfield)" $(($(pdi_count $(POST newfield)) + 1)) '')"
 
-printf '%s' "$vcf" >"$tempfile"
+# delete fields, first mark for deletion using delete_key
+# this way the field enumeration is preserved during the process
+# finally filter marked lines
+delete_key="$(randomid)"
+for delete in $(POST_KEYS |grep -xE '[A-Z][A-Z0-9-]*_delete_[0-9]+'); do
+  f="${delete%%_*}"; c="${delete##*_}";
+  [ "$(POST "$delete")" = "true" ] && vcf="$(pdi_update_value "$vcf" "$f" "$c" "delete=${delete_key}")"
+done
+vcf="$(printf '%s\n' "$vcf" |sed -E "/^[^:]+:delete=${delete_key}\$/d")"
+
+if [ "$action" = addfield ]; then
+  vcf="$(pdi_update_value "$vcf" "$newfield" $(( $(pdi_count "$vcf" "$newfield") + 1 )) '')"
+fi
+printf '%s' "$vcf" |grep -vx '' >"$tempfile"
 
-case "$(POST action)" in
+case "$action" in
   addfield)
     REDIRECT "/cards/?o=${order}&f=${filter}&e=${card}"
     ;;