untaint and linkpage the page name used in attachment holding directory

author Joey Hess <joey@kitenet.net>

Tue, 14 Jun 2011 17:41:07 +0000 (13:41 -0400)

committer Joey Hess <joey@kitenet.net>

Tue, 14 Jun 2011 17:41:07 +0000 (13:41 -0400)
author Joey Hess <joey@kitenet.net>
Tue, 14 Jun 2011 17:41:07 +0000 (13:41 -0400)
committer Joey Hess <joey@kitenet.net>
Tue, 14 Jun 2011 17:41:07 +0000 (13:41 -0400)
diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm

index f4638894880b2ecaf837d60fe45488b8370b715e..f4bfbe98f4cc3eb63f313c7bf5d39c39eb4b2b26 100644 (file)
--- a/IkiWiki/Plugin/attachment.pm
+++ b/IkiWiki/Plugin/attachment.pm
@@ -150,7 +150,8 @@ sub formbuilder (@) {
  sub attachment_holding_dir {
         my $page=shift;
  
-       return $config{wikistatedir}."/attachments/$page";
+       return $config{wikistatedir}."/attachments/".
+               IkiWiki::possibly_foolish_untaint(linkpage($page));
  }
  
  # Stores the attachment in a holding area, not yet in the wiki proper.
author	Joey Hess <joey@kitenet.net>
	Tue, 14 Jun 2011 17:41:07 +0000 (13:41 -0400)
committer	Joey Hess <joey@kitenet.net>
	Tue, 14 Jun 2011 17:41:07 +0000 (13:41 -0400)