store filename in holding dir in linkpage form

Avoids any unpleasantness with .. or other special chars in the attachment
filename.
master
Joey Hess 2011-06-14 13:38:37 -04:00
parent e08daac239
commit 1d951583a6
1 changed files with 7 additions and 5 deletions

View File

@ -178,11 +178,13 @@ sub attachment_store {
$filename=IkiWiki::basename($filename);
$filename=~s/.*\\+(.+)/$1/; # hello, windows
$filename=IkiWiki::possibly_foolish_untaint(linkpage($filename));
# Check that the user is allowed to edit the attachment.
my $final_filename=linkpage(IkiWiki::possibly_foolish_untaint(
attachment_location($form->field('page')).
$filename));
my $final_filename=
linkpage(IkiWiki::possibly_foolish_untaint(
attachment_location($form->field('page')))).
$filename;
if (IkiWiki::file_pruned($final_filename)) {
error(gettext("bad attachment filename"));
}
@ -232,8 +234,8 @@ sub attachments_save {
next unless -f $filename;
my $dest=$config{srcdir}."/".
linkpage(IkiWiki::possibly_foolish_untaint(
attachment_location($form->field('page')).
$filename));
attachment_location($form->field('page')))).
$filename;
unlink($dest);
rename($filename, $dest);
push @attachments, $dest;