store filename in holding dir in linkpage form

Avoids any unpleasantness with .. or other special chars in the attachment
filename.

diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm
index b7ea1f312793b1ea61e44c890c720b537f6d0a6b..f4638894880b2ecaf837d60fe45488b8370b715e 100644 (file)
--- a/IkiWiki/Plugin/attachment.pm
+++ b/IkiWiki/Plugin/attachment.pm
@@ -178,11 +178,13 @@ sub attachment_store {
 
        $filename=IkiWiki::basename($filename);
        $filename=~s/.*\\+(.+)/$1/; # hello, windows
+       $filename=IkiWiki::possibly_foolish_untaint(linkpage($filename));
        
        # Check that the user is allowed to edit the attachment.
-       my $final_filename=linkpage(IkiWiki::possibly_foolish_untaint(
-               attachment_location($form->field('page')).
-               $filename));
+       my $final_filename=
+               linkpage(IkiWiki::possibly_foolish_untaint(
+                       attachment_location($form->field('page')))).
+               $filename;
        if (IkiWiki::file_pruned($final_filename)) {
                error(gettext("bad attachment filename"));
        }
@@ -232,8 +234,8 @@ sub attachments_save {
                next unless -f $filename;
                my $dest=$config{srcdir}."/".
                        linkpage(IkiWiki::possibly_foolish_untaint(
-                               attachment_location($form->field('page')).
-                               $filename));
+                               attachment_location($form->field('page')))).
+                       $filename;
                unlink($dest);
                rename($filename, $dest);
                push @attachments, $dest;