changeset 30:f28165322ad3

arnica_slides: reject access to unknown cache files
author Reimar Bauer <rb.proj AT googlemail DOT com>
date Sat, 24 May 2008 10:05:13 +0200
parents af82335acd58
children b9bc86ad2445
files data/plugin/action/arnica_slides.py
diffstat 1 files changed, 10 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/data/plugin/action/arnica_slides.py	Fri May 23 23:24:15 2008 +0200
+++ b/data/plugin/action/arnica_slides.py	Sat May 24 10:05:13 2008 +0200
@@ -364,7 +364,7 @@
         request.formatter = Formatter(request)
         attachment_path = AttachFile.getAttachDir(request, self.pagename)
         command = request.form.get('do', ['none'])[0]
-        target = request.form.get('target', [None])[0]
+        target = request.form.get('target', [''])[0]
 
         if command == 'VS':
             web = {}
@@ -411,12 +411,17 @@
             msg = None
 
         elif command == 'view':
-            if not target:
-                return
+            msg = None
             if not request.user.may.read(pagename):
-                return _('You are not allowed to view attachments of this page.')
+                msg = _('You are not allowed to view attachments of this page.')
+
             fpath = os.path.join(arena_dir, target)
-            if not os.path.exists(fpath):
+            if not target or not os.path.exists(fpath) or not wikiutil.isPicture(fpath):
+                msg = _("Attachment '%(filename)s' does not exist!") % {"filename": target}
+
+            if msg:
+                request.theme.add_msg(msg, "error")
+                self.page.send_page()
                 return
 
             timestamp = timefuncs.formathttpdate(int(os.path.getmtime(fpath)))