From: Joey Hess <joey@kitenet.net>
Date: Tue, 14 Jun 2011 17:41:07 +0000 (-0400)
Subject: untaint and linkpage the page name used in attachment holding directory
X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/commitdiff_plain/8619faaa8b01c4675be8d2c53d5d96f9c5d3fa16

untaint and linkpage the page name used in attachment holding directory
---

diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm
index f46388948..f4bfbe98f 100644
--- a/IkiWiki/Plugin/attachment.pm
+++ b/IkiWiki/Plugin/attachment.pm
@@ -150,7 +150,8 @@ sub formbuilder (@) {
 sub attachment_holding_dir {
 	my $page=shift;
 
-	return $config{wikistatedir}."/attachments/$page";
+	return $config{wikistatedir}."/attachments/".
+		IkiWiki::possibly_foolish_untaint(linkpage($page));
 }
 
 # Stores the attachment in a holding area, not yet in the wiki proper.