From: Joey Hess <joey@kitenet.net>
Date: Tue, 14 Jun 2011 17:38:37 +0000 (-0400)
Subject: store filename in holding dir in linkpage form
X-Git-Tag: 3.20110707~60^2~28
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/1d951583a6d3718ea5e44b8c52fb2acbe5a989e8?ds=inline

store filename in holding dir in linkpage form

Avoids any unpleasantness with .. or other special chars in the attachment
filename.
---

diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm
index b7ea1f312..f46388948 100644
--- a/IkiWiki/Plugin/attachment.pm
+++ b/IkiWiki/Plugin/attachment.pm
@@ -178,11 +178,13 @@ sub attachment_store {
 
 	$filename=IkiWiki::basename($filename);
 	$filename=~s/.*\\+(.+)/$1/; # hello, windows
+	$filename=IkiWiki::possibly_foolish_untaint(linkpage($filename));
 	
 	# Check that the user is allowed to edit the attachment.
-	my $final_filename=linkpage(IkiWiki::possibly_foolish_untaint(
-		attachment_location($form->field('page')).
-		$filename));
+	my $final_filename=
+		linkpage(IkiWiki::possibly_foolish_untaint(
+			attachment_location($form->field('page')))).
+		$filename;
 	if (IkiWiki::file_pruned($final_filename)) {
 		error(gettext("bad attachment filename"));
 	}
@@ -232,8 +234,8 @@ sub attachments_save {
 		next unless -f $filename;
 		my $dest=$config{srcdir}."/".
 			linkpage(IkiWiki::possibly_foolish_untaint(
-				attachment_location($form->field('page')).
-				$filename));
+				attachment_location($form->field('page')))).
+			$filename;
 		unlink($dest);
 		rename($filename, $dest);
 		push @attachments, $dest;