]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/attachment.pm
Tell `git revert` not to follow renames (CVE-2016-10026)
[git.ikiwiki.info.git] / IkiWiki / Plugin / attachment.pm
index 52bac7c1e937ba87e2711ff41319e13a5cfd7814..ab1929e3618e39ead815bfe71639272e2a71d55b 100644 (file)
@@ -116,9 +116,10 @@ sub formbuilder_setup (@) {
                        $form->tmpl_param("attachments-class" => "toggleable-open");
                }
                
-               # Save attachments in holding area before previewing so
-               # they can be seen in the preview.
-               if ($form->submitted eq "Preview") {
+               # Save attachments in holding area before previewing and
+               # saving.
+               if ($form->submitted eq "Preview" ||
+                   $form->submitted eq "Save Page") {
                        attachments_save($form, $params{session});
                }
        }
@@ -147,7 +148,7 @@ sub formbuilder (@) {
                        $f=Encode::decode_utf8($f);
                        $f=~s/^$page\///;
                        if (IkiWiki::isinlinableimage($f) &&
-                           UNIVERSAL::can("IkiWiki::Plugin::img", "import")) {
+                           IkiWiki::Plugin::img->can("import")) {
                                $add.='[[!img '.$f.' align="right" size="" alt=""]]';
                        }
                        else {
@@ -155,14 +156,15 @@ sub formbuilder (@) {
                        }
                        $add.="\n";
                }
+               my $content = $form->field('editcontent');
                $form->field(name => 'editcontent',
-                       value => $form->field('editcontent')."\n\n".$add,
+                       value => $content."\n\n".$add,
                        force => 1) if length $add;
        }
        
        # Generate the attachment list only after having added any new
        # attachments.
-       $form->tmpl_param("attachment_list" => [attachment_list($form->field('page'))]);
+       $form->tmpl_param("attachment_list" => [attachment_list(scalar $form->field('page'))]);
 }
 
 sub attachment_holding_location {
@@ -212,12 +214,12 @@ sub attachment_store {
        $filename=IkiWiki::basename($filename);
        $filename=~s/.*\\+(.+)/$1/; # hello, windows
        $filename=IkiWiki::possibly_foolish_untaint(linkpage($filename));
-       my $dest=attachment_holding_location($form->field('page'));
+       my $dest=attachment_holding_location(scalar $form->field('page'));
        
        # Check that the user is allowed to edit the attachment.
        my $final_filename=
                linkpage(IkiWiki::possibly_foolish_untaint(
-                       attachment_location($form->field('page')))).
+                       attachment_location(scalar $form->field('page')))).
                $filename;
        eval {
                if (IkiWiki::file_pruned($final_filename)) {
@@ -269,20 +271,23 @@ sub attachments_save {
 
        # Move attachments out of holding directory.
        my @attachments;
-       my $dir=attachment_holding_location($form->field('page'));
+       my $dir=attachment_holding_location(scalar $form->field('page'));
        foreach my $filename (glob("$dir/*")) {
+               $filename=Encode::decode_utf8($filename);
                next unless -f $filename;
-               my $dest=$config{srcdir}."/".
+               my $destdir=$config{srcdir}."/".
                        linkpage(IkiWiki::possibly_foolish_untaint(
-                               attachment_location($form->field('page')))).
-                       IkiWiki::basename($filename);
+                               attachment_location(scalar $form->field('page'))));
+               my $destfile=IkiWiki::basename($filename);
+               my $dest=$destdir.$destfile;
                unlink($dest);
+               IkiWiki::prep_writefile($destfile, $destdir);
                rename($filename, $dest);
                push @attachments, $dest;
        }
        return unless @attachments;
        require IkiWiki::Render;
-       IkiWiki::prune($dir);
+       IkiWiki::prune($dir, $config{wikistatedir}."/attachments");
 
        # Check the attachments in and trigger a wiki refresh.
        if ($config{rcs}) {
@@ -342,6 +347,7 @@ sub attachment_list ($) {
        my $dir=attachment_holding_location($page);
        my $heldmsg=gettext("this attachment is not yet saved");
        foreach my $file (glob("$dir/*")) {
+               $file=Encode::decode_utf8($file);
                next unless -f $file;
                my $base=IkiWiki::basename($file);
                my $f=$loc.$base;