]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blob - IkiWiki/Plugin/attachment.pm
passwordauth: avoid userinfo forgery via repeated email parameter
[git.ikiwiki.info.git] / IkiWiki / Plugin / attachment.pm
1 #!/usr/bin/perl
2 package IkiWiki::Plugin::attachment;
4 use warnings;
5 use strict;
6 use IkiWiki 3.00;
8 sub import {
9         add_underlay("attachment");
10         add_underlay("javascript");
11         add_underlay("jquery");
12         hook(type => "getsetup", id => "attachment", call => \&getsetup);
13         hook(type => "checkconfig", id => "attachment", call => \&checkconfig);
14         hook(type => "formbuilder_setup", id => "attachment", call => \&formbuilder_setup);
15         hook(type => "formbuilder", id => "attachment", call => \&formbuilder, last => 1);
16         IkiWiki::loadplugin("filecheck");
17 }
19 sub getsetup () {
20         return
21                 plugin => {
22                         safe => 1,
23                         rebuild => 0,
24                         section => "web",
25                 },
26                 allowed_attachments => {
27                         type => "pagespec",
28                         example => "virusfree() and mimetype(image/*) and maxsize(50kb)",
29                         description => "enhanced PageSpec specifying what attachments are allowed",
30                         link => "ikiwiki/PageSpec/attachment",
31                         safe => 1,
32                         rebuild => 0,
33                 },
34                 virus_checker => {
35                         type => "string",
36                         example => "clamdscan -",
37                         description => "virus checker program (reads STDIN, returns nonzero if virus found)",
38                         safe => 0, # executed
39                         rebuild => 0,
40                 },
41 }
43 sub check_canattach ($$;$) {
44         my $session=shift;
45         my $dest=shift; # where it's going to be put, under the srcdir
46         my $file=shift; # the path to the attachment currently
48         # Don't allow an attachment to be uploaded with the same name as an
49         # existing page.
50         if (exists $IkiWiki::pagesources{$dest} &&
51             $IkiWiki::pagesources{$dest} ne $dest) {
52                 error(sprintf(gettext("there is already a page named %s"), $dest));
53         }
55         # Use a special pagespec to test that the attachment is valid.
56         my $allowed=1;
57         if (defined $config{allowed_attachments} &&
58             length $config{allowed_attachments}) {
59                 $allowed=pagespec_match($dest,
60                         $config{allowed_attachments},
61                         file => $file,
62                         user => $session->param("name"),
63                         ip => $session->remote_addr(),
64                 );
65         }
67         if (! $allowed) {
68                 error(gettext("prohibited by allowed_attachments")." ($allowed)");
69         }
70         else {
71                 return 1;
72         }
73 }
75 sub checkconfig () {
76         $config{cgi_disable_uploads}=0;
77 }
79 sub formbuilder_setup (@) {
80         my %params=@_;
81         my $form=$params{form};
82         my $q=$params{cgi};
84         if (defined $form->field("do") && ($form->field("do") eq "edit" ||
85             $form->field("do") eq "create")) {
86                 # Add attachment field, set type to multipart.
87                 $form->enctype(&CGI::MULTIPART);
88                 $form->field(name => 'attachment', type => 'file');
89                 # These buttons are not put in the usual place, so
90                 # are not added to the normal formbuilder button list.
91                 $form->tmpl_param("field-upload" => '<input name="_submit" type="submit" value="Upload Attachment" />');
92                 $form->tmpl_param("field-link" => '<input name="_submit" type="submit" value="Insert Links" />');
94                 # Add all the javascript used by the attachments interface.
95                 require IkiWiki::Plugin::toggle;
96                 my $js=IkiWiki::Plugin::toggle::include_javascript($params{page});
97                 $js.='<link rel="stylesheet" href="'.urlto("ikiwiki/jquery-ui.min.css", $params{page}).'" id="theme">'."\n";
98                 my @jsfiles=qw{jquery.min jquery-ui.min
99                         jquery.tmpl.min jquery.iframe-transport
100                         jquery.fileupload jquery.fileupload-ui
101                 };
102                 foreach my $file (@jsfiles) {
103                         $js.='<script src="'.urlto("ikiwiki/$file.js", $params{page}).
104                              '" type="text/javascript" charset="utf-8"></script>'."\n";
105                 }
106                 $form->tmpl_param("javascript" => $js);
108                 # Start with the attachments interface toggled invisible,
109                 # but if it was used, keep it open.
110                 if ($form->submitted ne "Upload Attachment" &&
111                     (! defined $q->param("attachment_select") ||
112                     ! length $q->param("attachment_select"))) {
113                         $form->tmpl_param("attachments-class" => "toggleable");
114                 }
115                 else {
116                         $form->tmpl_param("attachments-class" => "toggleable-open");
117                 }
118                 
119                 # Save attachments in holding area before previewing and
120                 # saving.
121                 if ($form->submitted eq "Preview" ||
122                     $form->submitted eq "Save Page") {
123                         attachments_save($form, $params{session});
124                 }
125         }
128 sub formbuilder (@) {
129         my %params=@_;
130         my $form=$params{form};
131         my $q=$params{cgi};
133         return if ! defined $form->field("do") || ($form->field("do") ne "edit" && $form->field("do") ne "create") ;
135         my $filename=Encode::decode_utf8($q->param('attachment'));
136         if (defined $filename && length $filename) {
137                 attachment_store($filename, $form, $q, $params{session});
138         }
140         if ($form->submitted eq "Save Page") {
141                 attachments_save($form, $params{session});
142         }
144         if ($form->submitted eq "Insert Links") {
145                 my $page=quotemeta(Encode::decode_utf8($q->param("page")));
146                 my $add="";
147                 foreach my $f ($q->param("attachment_select")) {
148                         $f=Encode::decode_utf8($f);
149                         $f=~s/^$page\///;
150                         if (IkiWiki::isinlinableimage($f) &&
151                             IkiWiki::Plugin::img->can("import")) {
152                                 $add.='[[!img '.$f.' align="right" size="" alt=""]]';
153                         }
154                         else {
155                                 $add.="[[$f]]";
156                         }
157                         $add.="\n";
158                 }
159                 $form->field(name => 'editcontent',
160                         value => $form->field('editcontent')."\n\n".$add,
161                         force => 1) if length $add;
162         }
163         
164         # Generate the attachment list only after having added any new
165         # attachments.
166         $form->tmpl_param("attachment_list" => [attachment_list($form->field('page'))]);
169 sub attachment_holding_location {
170         my $page=attachment_location(shift);
172         my $dir=$config{wikistatedir}."/attachments/".
173                 IkiWiki::possibly_foolish_untaint(linkpage($page));
174         $dir=~s/\/$//;
175         return $dir;
178 sub is_held_attachment {
179         my $attachment=shift;
181         my $f=attachment_holding_location($attachment);
182         if (-f $f) {
183                 return $f
184         }
185         else {
186                 return undef;
187         }
190 # Stores the attachment in a holding area, not yet in the wiki proper.
191 sub attachment_store {
192         my $filename=shift;
193         my $form=shift;
194         my $q=shift;
195         my $session=shift;
196         
197         # This is an (apparently undocumented) way to get the name
198         # of the temp file that CGI writes the upload to.
199         my $tempfile=$q->tmpFileName($filename);
200         if (! defined $tempfile || ! length $tempfile) {
201                 # perl 5.8 needs an alternative, awful method
202                 if ($q =~ /HASH/ && exists $q->{'.tmpfiles'}) {
203                         foreach my $key (keys(%{$q->{'.tmpfiles'}})) {
204                                 $tempfile=$q->tmpFileName(\$key);
205                                 last if defined $tempfile && length $tempfile;
206                         }
207                 }
208                 if (! defined $tempfile || ! length $tempfile) {
209                         error("CGI::tmpFileName failed to return the uploaded file name");
210                 }
211         }
213         $filename=IkiWiki::basename($filename);
214         $filename=~s/.*\\+(.+)/$1/; # hello, windows
215         $filename=IkiWiki::possibly_foolish_untaint(linkpage($filename));
216         my $dest=attachment_holding_location($form->field('page'));
217         
218         # Check that the user is allowed to edit the attachment.
219         my $final_filename=
220                 linkpage(IkiWiki::possibly_foolish_untaint(
221                         attachment_location($form->field('page')))).
222                 $filename;
223         eval {
224                 if (IkiWiki::file_pruned($final_filename)) {
225                         error(gettext("bad attachment filename"));
226                 }
227                 IkiWiki::check_canedit($final_filename, $q, $session);
228                 # And that the attachment itself is acceptable.
229                 check_canattach($session, $final_filename, $tempfile);
230         };
231         if ($@) {
232                 json_response($q, $form, $dest."/".$filename, $@);
233                 error $@;
234         }
236         # Move the attachment into holding directory.
237         # Try to use a fast rename; fall back to copying.
238         IkiWiki::prep_writefile($filename, $dest);
239         unlink($dest."/".$filename);
240         if (rename($tempfile, $dest."/".$filename)) {
241                 # The temp file has tight permissions; loosen up.
242                 chmod(0666 & ~umask, $dest."/".$filename);
243         }
244         else {
245                 my $fh=$q->upload('attachment');
246                 if (! defined $fh || ! ref $fh) {
247                         # needed by old CGI versions
248                         $fh=$q->param('attachment');
249                         if (! defined $fh || ! ref $fh) {
250                                 # even that doesn't always work,
251                                 # fall back to opening the tempfile
252                                 $fh=undef;
253                                 open($fh, "<", $tempfile) || error("failed to open \"$tempfile\": $!");
254                         }
255                 }
256                 binmode($fh);
257                 require IkiWiki::Render; 
258                 writefile($filename, $dest, undef, 1, sub {
259                         IkiWiki::fast_file_copy($tempfile, $filename, $fh, @_);
260                 });
261         }
263         json_response($q, $form, $dest."/".$filename, stored_msg());
266 # Save all stored attachments for a page.
267 sub attachments_save {
268         my $form=shift;
269         my $session=shift;
271         # Move attachments out of holding directory.
272         my @attachments;
273         my $dir=attachment_holding_location($form->field('page'));
274         foreach my $filename (glob("$dir/*")) {
275                 $filename=Encode::decode_utf8($filename);
276                 next unless -f $filename;
277                 my $destdir=$config{srcdir}."/".
278                         linkpage(IkiWiki::possibly_foolish_untaint(
279                                 attachment_location($form->field('page'))));
280                 my $destfile=IkiWiki::basename($filename);
281                 my $dest=$destdir.$destfile;
282                 unlink($dest);
283                 IkiWiki::prep_writefile($destfile, $destdir);
284                 rename($filename, $dest);
285                 push @attachments, $dest;
286         }
287         return unless @attachments;
288         require IkiWiki::Render;
289         IkiWiki::prune($dir, $config{wikistatedir}."/attachments");
291         # Check the attachments in and trigger a wiki refresh.
292         if ($config{rcs}) {
293                 IkiWiki::rcs_add($_) foreach @attachments;
294                 IkiWiki::disable_commit_hook();
295                 IkiWiki::rcs_commit_staged(
296                         message => gettext("attachment upload"),
297                         session => $session,
298                 );
299                 IkiWiki::enable_commit_hook();
300                 IkiWiki::rcs_update();
301         }
302         IkiWiki::refresh();
303         IkiWiki::saveindex();
306 sub attachment_location ($) {
307         my $page=shift;
308         
309         # Put the attachment in a subdir of the page it's attached
310         # to, unless that page is the "index" page.
311         return "" if $page eq 'index';
312         $page.="/" if length $page;
313         
314         return $page;
317 sub attachment_list ($) {
318         my $page=shift;
319         my $loc=attachment_location($page);
321         my $std=sub {
322                 my $file=shift;
323                 my $mtime=shift;
324                 my $date=shift;
325                 my $size=shift;
327                 name => $file,
328                 size => IkiWiki::Plugin::filecheck::humansize($size),
329                 mtime => $date,
330                 mtime_raw => $mtime,
331         };
333         # attachments already in the wiki
334         my %attachments;
335         foreach my $f (values %pagesources) {
336                 if (! defined pagetype($f) &&
337                     $f=~m/^\Q$loc\E[^\/]+$/) {
338                         $attachments{$f}={
339                                 $std->($f, $IkiWiki::pagemtime{$f}, displaytime($IkiWiki::pagemtime{$f}), (stat($f))[7]),
340                                 link => htmllink($page, $page, $f, noimageinline => 1),
341                         };
342                 }
343         }
344         
345         # attachments in holding directory
346         my $dir=attachment_holding_location($page);
347         my $heldmsg=gettext("this attachment is not yet saved");
348         foreach my $file (glob("$dir/*")) {
349                 $file=Encode::decode_utf8($file);
350                 next unless -f $file;
351                 my $base=IkiWiki::basename($file);
352                 my $f=$loc.$base;
353                 $attachments{$f}={
354                         $std->($f, (stat($file))[9]*2, stored_msg(), (stat(_))[7]),
355                         link => $base,
356                 }
357         }
359         # Sort newer attachments to the end of the list.
360         return sort { $a->{mtime_raw} <=> $b->{mtime_raw} || $a->{link} cmp $b->{link} }
361                 values %attachments;
364 sub stored_msg {
365         gettext("just uploaded");
368 sub json_response ($$$$) {
369         my $q=shift;
370         my $form=shift;
371         my $filename=shift;
372         my $stored_msg=shift;
374         if (! defined $form->submitted ||
375             $form->submitted ne "Upload Attachment") {
376                 eval q{use JSON};
377                 error $@ if $@;
378                 print "Content-type: text/html\n\n";
379                 my $size=-s $filename;
380                 print to_json([
381                         {
382                                 name => IkiWiki::basename($filename),
383                                 size => $size,
384                                 humansize => IkiWiki::Plugin::filecheck::humansize($size),
385                                 stored_msg => $stored_msg,
386                                 
387                         }
388                 ]);
389                 exit 0;
390         }