From 8619faaa8b01c4675be8d2c53d5d96f9c5d3fa16 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 14 Jun 2011 13:41:07 -0400 Subject: [PATCH] untaint and linkpage the page name used in attachment holding directory --- IkiWiki/Plugin/attachment.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index f46388948..f4bfbe98f 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -150,7 +150,8 @@ sub formbuilder (@) { sub attachment_holding_dir { my $page=shift; - return $config{wikistatedir}."/attachments/$page"; + return $config{wikistatedir}."/attachments/". + IkiWiki::possibly_foolish_untaint(linkpage($page)); } # Stores the attachment in a holding area, not yet in the wiki proper. -- 2.45.0