aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@kitenet.net>2011-06-14 13:38:37 -0400
committerJoey Hess <joey@kitenet.net>2011-06-14 13:38:37 -0400
commit1d951583a6d3718ea5e44b8c52fb2acbe5a989e8 (patch)
treefebdc3a2520a0a3cd90a53e7187dbb77d96d4aa3
parente08daac239a0a29b5b9d936d6ec4f9ae1c67bf49 (diff)
downloadikiwiki-1d951583a6d3718ea5e44b8c52fb2acbe5a989e8.tar
ikiwiki-1d951583a6d3718ea5e44b8c52fb2acbe5a989e8.tar.gz
store filename in holding dir in linkpage form
Avoids any unpleasantness with .. or other special chars in the attachment filename.
-rw-r--r--IkiWiki/Plugin/attachment.pm12
1 files changed, 7 insertions, 5 deletions
diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm
index b7ea1f312..f46388948 100644
--- a/IkiWiki/Plugin/attachment.pm
+++ b/IkiWiki/Plugin/attachment.pm
@@ -178,11 +178,13 @@ sub attachment_store {
$filename=IkiWiki::basename($filename);
$filename=~s/.*\\+(.+)/$1/; # hello, windows
+ $filename=IkiWiki::possibly_foolish_untaint(linkpage($filename));
# Check that the user is allowed to edit the attachment.
- my $final_filename=linkpage(IkiWiki::possibly_foolish_untaint(
- attachment_location($form->field('page')).
- $filename));
+ my $final_filename=
+ linkpage(IkiWiki::possibly_foolish_untaint(
+ attachment_location($form->field('page')))).
+ $filename;
if (IkiWiki::file_pruned($final_filename)) {
error(gettext("bad attachment filename"));
}
@@ -232,8 +234,8 @@ sub attachments_save {
next unless -f $filename;
my $dest=$config{srcdir}."/".
linkpage(IkiWiki::possibly_foolish_untaint(
- attachment_location($form->field('page')).
- $filename));
+ attachment_location($form->field('page')))).
+ $filename;
unlink($dest);
rename($filename, $dest);
push @attachments, $dest;