- my $final_filename=linkpage(IkiWiki::possibly_foolish_untaint(
- attachment_location($form->field('page')).
- $filename));
- if (IkiWiki::file_pruned($final_filename)) {
- error(gettext("bad attachment filename"));
+ my $final_filename=
+ linkpage(IkiWiki::possibly_foolish_untaint(
+ attachment_location(scalar $form->field('page')))).
+ $filename;
+ eval {
+ if (IkiWiki::file_pruned($final_filename)) {
+ error(gettext("bad attachment filename"));
+ }
+ IkiWiki::check_canedit($final_filename, $q, $session);
+ # And that the attachment itself is acceptable.
+ check_canattach($session, $final_filename, $tempfile);
+ };
+ if ($@) {
+ # save error in case called functions clobber $@
+ my $error = $@;
+ json_response($q, $form, $dest."/".$filename, $error);
+ error $error;