hook(type => "formbuilder", id => "attachment", call => \&formbuilder);
} # }}}
+sub check_canattach ($$;$) {
+ my $session=shift;
+ my $dest=shift; # where it's going to be put, under the srcdir
+ my $file=shift; # the path to the attachment currently
+
+ # Use a special pagespec to test that the attachment is valid.
+ my $allowed=1;
+ foreach my $admin (@{$config{adminuser}}) {
+ my $allowed_attachments=IkiWiki::userinfo_get($admin, "allowed_attachments");
+ if (defined $allowed_attachments &&
+ length $allowed_attachments) {
+ $allowed=pagespec_match($dest,
+ $allowed_attachments,
+ file => $file,
+ user => $session->param("name"),
+ ip => $ENV{REMOTE_ADDR},
+ );
+ last if $allowed;
+ }
+ }
+ if (! $allowed) {
+ error(gettext("prohibited by allowed_attachments")." ($allowed)");
+ }
+ else {
+ return 1;
+ }
+}
+
sub checkconfig () { #{{{
$config{cgi_disable_uploads}=0;
} #}}}
my $q=$params{cgi};
if (defined $form->field("do") && $form->field("do") eq "edit") {
+ # Add attachment field, set type to multipart.
+ $form->enctype(&CGI::MULTIPART);
$form->field(name => 'attachment', type => 'file');
# These buttons are not put in the usual place, so
# are not added to the normal formbuilder button list.
# This is an (apparently undocumented) way to get the name
# of the temp file that CGI writes the upload to.
my $tempfile=$q->tmpFileName($filename);
-
+ if (! defined $tempfile || ! length $tempfile) {
+ # perl 5.8 needs an alternative, awful method
+ if ($q =~ /HASH/ && exists $q->{'.tmpfiles'}) {
+ foreach my $key (keys(%{$q->{'.tmpfiles'}})) {
+ $tempfile=$q->tmpFileName(\$key);
+ last if defined $tempfile && length $tempfile;
+ }
+ }
+ if (! defined $tempfile || ! length $tempfile) {
+ error("CGI::tmpFileName failed to return the uploaded file name");
+ }
+ }
+
$filename=IkiWiki::titlepage(
IkiWiki::possibly_foolish_untaint(
attachment_location($form->field('page')).
# Check that the user is allowed to edit a page with the
# name of the attachment.
IkiWiki::check_canedit($filename, $q, $session, 1);
-
- # Use a special pagespec to test that the attachment is valid.
- my $allowed=1;
- foreach my $admin (@{$config{adminuser}}) {
- my $allowed_attachments=IkiWiki::userinfo_get($admin, "allowed_attachments");
- if (defined $allowed_attachments &&
- length $allowed_attachments) {
- $allowed=pagespec_match($filename,
- $allowed_attachments,
- file => $tempfile,
- user => $session->param("name"),
- ip => $ENV{REMOTE_ADDR},
- );
- last if $allowed;
- }
- }
- if (! $allowed) {
- error(gettext("attachment rejected")." ($allowed)");
- }
+ # And that the attachment itself is acceptable.
+ check_canattach($session, $filename, $tempfile);
# Needed for fast_file_copy and for rendering below.
require IkiWiki::Render;
# needed by old CGI versions
$fh=$q->param('attachment');
if (! defined $fh || ! ref $fh) {
- error("failed to get filehandle");
+ # even that doesn't always work,
+ # fall back to opening the tempfile
+ $fh=undef;
+ open($fh, "<", $tempfile) || error("failed to open \"$tempfile\": $!");
}
}
binmode($fh);
waitpid $pid, 0;
$SIG{PIPE}="DEFAULT";
if ($sigpipe || $?) {
+ if (! length $reason) {
+ $reason="virus checker $IkiWiki::config{virus_checker}; failed with no output";
+ }
return IkiWiki::FailReason->new("file seems to contain a virus ($reason)");
}
else {
if (defined $params{user} && lc $params{user} eq lc $user) {
return IkiWiki::SuccessReason->new("user is $user");
}
+ elsif (! defined $params{user}) {
+ return IkiWiki::FailReason->new("not logged in");
+ }
else {
return IkiWiki::FailReason->new("user is $params{user}, not $user");
}