]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/attachment.pm
Add automated test for using the CGI with git, including CVE-2016-10026
[git.ikiwiki.info.git] / IkiWiki / Plugin / attachment.pm
index fd4096edf7de153ef01145f310c459f255e3fffc..ab1929e3618e39ead815bfe71639272e2a71d55b 100644 (file)
@@ -148,7 +148,7 @@ sub formbuilder (@) {
                        $f=Encode::decode_utf8($f);
                        $f=~s/^$page\///;
                        if (IkiWiki::isinlinableimage($f) &&
                        $f=Encode::decode_utf8($f);
                        $f=~s/^$page\///;
                        if (IkiWiki::isinlinableimage($f) &&
-                           UNIVERSAL::can("IkiWiki::Plugin::img", "import")) {
+                           IkiWiki::Plugin::img->can("import")) {
                                $add.='[[!img '.$f.' align="right" size="" alt=""]]';
                        }
                        else {
                                $add.='[[!img '.$f.' align="right" size="" alt=""]]';
                        }
                        else {
@@ -156,14 +156,15 @@ sub formbuilder (@) {
                        }
                        $add.="\n";
                }
                        }
                        $add.="\n";
                }
+               my $content = $form->field('editcontent');
                $form->field(name => 'editcontent',
                $form->field(name => 'editcontent',
-                       value => $form->field('editcontent')."\n\n".$add,
+                       value => $content."\n\n".$add,
                        force => 1) if length $add;
        }
        
        # Generate the attachment list only after having added any new
        # attachments.
                        force => 1) if length $add;
        }
        
        # Generate the attachment list only after having added any new
        # attachments.
-       $form->tmpl_param("attachment_list" => [attachment_list($form->field('page'))]);
+       $form->tmpl_param("attachment_list" => [attachment_list(scalar $form->field('page'))]);
 }
 
 sub attachment_holding_location {
 }
 
 sub attachment_holding_location {
@@ -213,12 +214,12 @@ sub attachment_store {
        $filename=IkiWiki::basename($filename);
        $filename=~s/.*\\+(.+)/$1/; # hello, windows
        $filename=IkiWiki::possibly_foolish_untaint(linkpage($filename));
        $filename=IkiWiki::basename($filename);
        $filename=~s/.*\\+(.+)/$1/; # hello, windows
        $filename=IkiWiki::possibly_foolish_untaint(linkpage($filename));
-       my $dest=attachment_holding_location($form->field('page'));
+       my $dest=attachment_holding_location(scalar $form->field('page'));
        
        # Check that the user is allowed to edit the attachment.
        my $final_filename=
                linkpage(IkiWiki::possibly_foolish_untaint(
        
        # Check that the user is allowed to edit the attachment.
        my $final_filename=
                linkpage(IkiWiki::possibly_foolish_untaint(
-                       attachment_location($form->field('page')))).
+                       attachment_location(scalar $form->field('page')))).
                $filename;
        eval {
                if (IkiWiki::file_pruned($final_filename)) {
                $filename;
        eval {
                if (IkiWiki::file_pruned($final_filename)) {
@@ -270,12 +271,13 @@ sub attachments_save {
 
        # Move attachments out of holding directory.
        my @attachments;
 
        # Move attachments out of holding directory.
        my @attachments;
-       my $dir=attachment_holding_location($form->field('page'));
+       my $dir=attachment_holding_location(scalar $form->field('page'));
        foreach my $filename (glob("$dir/*")) {
        foreach my $filename (glob("$dir/*")) {
+               $filename=Encode::decode_utf8($filename);
                next unless -f $filename;
                my $destdir=$config{srcdir}."/".
                        linkpage(IkiWiki::possibly_foolish_untaint(
                next unless -f $filename;
                my $destdir=$config{srcdir}."/".
                        linkpage(IkiWiki::possibly_foolish_untaint(
-                               attachment_location($form->field('page'))));
+                               attachment_location(scalar $form->field('page'))));
                my $destfile=IkiWiki::basename($filename);
                my $dest=$destdir.$destfile;
                unlink($dest);
                my $destfile=IkiWiki::basename($filename);
                my $dest=$destdir.$destfile;
                unlink($dest);
@@ -285,7 +287,7 @@ sub attachments_save {
        }
        return unless @attachments;
        require IkiWiki::Render;
        }
        return unless @attachments;
        require IkiWiki::Render;
-       IkiWiki::prune($dir);
+       IkiWiki::prune($dir, $config{wikistatedir}."/attachments");
 
        # Check the attachments in and trigger a wiki refresh.
        if ($config{rcs}) {
 
        # Check the attachments in and trigger a wiki refresh.
        if ($config{rcs}) {
@@ -345,6 +347,7 @@ sub attachment_list ($) {
        my $dir=attachment_holding_location($page);
        my $heldmsg=gettext("this attachment is not yet saved");
        foreach my $file (glob("$dir/*")) {
        my $dir=attachment_holding_location($page);
        my $heldmsg=gettext("this attachment is not yet saved");
        foreach my $file (glob("$dir/*")) {
+               $file=Encode::decode_utf8($file);
                next unless -f $file;
                my $base=IkiWiki::basename($file);
                my $f=$loc.$base;
                next unless -f $file;
                my $base=IkiWiki::basename($file);
                my $f=$loc.$base;