Item13747: fixed unescaped left braces

foswiki · Sep 24, 2015 · 8224ea3 · 8224ea3
1 parent b6c951e
commit 8224ea3
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 46 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,8 @@
+*.swp
+AttachContentPlugin.md5
+AttachContentPlugin.sha1
+AttachContentPlugin.tgz
+AttachContentPlugin.txt
+AttachContentPlugin.zip
+AttachContentPlugin_installer
+AttachContentPlugin_installer.pl
diff --git a/data/System/AttachContentPlugin.txt b/data/System/AttachContentPlugin.txt
@@ -84,34 +84,43 @@ See: PatternSkinColorSettings. This topic uses !AttachContentPlugin to write a C
 %END<nop>ATTACH%
 </pre>
 
+---++ Installation Instructions
+
+%$INSTALL_INSTRUCTIONS%
 
 #PluginSettings
----++ Plugin Settings
+---++ Settings
 
 After installation, configure this plugin by changing settings in [[%SCRIPTURL{configure}%/#AttachContentPlugin$Extensions][configure]].
 
----++ Plugin Installation Instructions
-
-%$INSTALL_INSTRUCTIONS%
-
----++ Plugin Info
-
-|  Copyright: | &copy; TWiki:Main.MeredithLesly, Foswiki:Main.KennethLavrsen, Foswiki:Main.ArthurClemens |
-|  Version: | %$VERSION% |
-|  Release: | %$RELEASE% |
-|  Change History: | <!-- versions below in reverse order -->&nbsp; |
-|  21 Aug 2010 (2.3.3) | Created stub handlers =_startAttach= and =_endAttach=. |
-|  25 May 2010 (2.3.2) | Foswikitask:Item8579 - Fix example to resolve save errors | 
+---++ Dependencies
+%$DEPENDENCIES%
+
+---++ Change History
+
+%TABLE{columnwidths="7em" tablewidth="100%"}%
+|  25 Sep 2015 (2.34) | Foswikitask:Item13747 - fixed unescaped left braces; \
+                        use CPAN:File::Temp for temporary files; check access rights before saving auto-created attachment to prevent an unnecessary error condition; \
+                        check access rights before saving auto-created attachment to prevent an unnecessary error condition; \
+                        remove SVN tags to make plugin releasable again; \
+                        use floats for version tags; \
+                        normalize web,topic params to STARTATTACH; \
+                        remove use of deprecated saveTopicText api |
+|  21 Aug 2010 (2.33) | Created stub handlers =_startAttach= and =_endAttach=. |
+|  25 May 2010 (2.32) | Foswikitask:Item8579 - Fix example to resolve save errors | 
 |  31 Aug 2009 (2.3) | Arthur Clemens: Added param =hidecontent=. Moved plugin settings to configure.  |
-|  23 Nov 2008 (2.2.1) | Foswiki compatible. |
-|  16 Apr 2007 (2.2.0) | Kenneth Lavrsen: Add added =keeppars= parameter. Settings change to being plugin settings only. Removal of plugin tags fixed so text between is still visible. |
-|  15 Apr 2007 (2.1.0) | Arthur Clemens: added parameters =web=, =topic=, =comment= and =hide=. Plugin tags are removed from view. Added configurable default comment. |
+|  23 Nov 2008 (2.21) | Foswiki compatible. |
+|  16 Apr 2007 (2.20) | Kenneth Lavrsen: Add added =keeppars= parameter. Settings change to being plugin settings only. Removal of plugin tags fixed so text between is still visible. |
+|  15 Apr 2007 (2.10) | Arthur Clemens: added parameters =web=, =topic=, =comment= and =hide=. Plugin tags are removed from view. Added configurable default comment. |
 |  19 Oct 2006 (2.0) | Foswiki:Main.KennethLavrsen<br />Fixed major security issue. Original version allowed /../ in the filename so files could be stored everywhere<br />Plugin now cleans up the its work area and no longer leaves temporary files<br />Temporary filenames made pseudo random to avoid race condition<br />Plugin now also removed nops and TML square bracket links<br />Attachment is no longer saved when uploading other files and changing attributes. |
 |  09 Feb 2006 (1.0) | Initial version |
-|  CPAN Dependencies: | none |
-|  Other Dependencies: | none |
-|  Perl Version: | 5.005 |
-|  License: | GPL ([[http://www.gnu.org/copyleft/gpl.html][GNU General Public License]]) |
-|  Plugin Home: | http://foswiki.org/Extensions/%TOPIC% |
-|  Support: | http://foswiki.org/Support/%TOPIC% |
 
+%META:FORM{name="PackageForm"}%
+%META:FIELD{name="Author" title="Author" value="ProjectContributor"}%
+%META:FIELD{name="Copyright" title="Copyright" value="&copy; TWiki:Main.MeredithLesly, Foswiki:Main.KennethLavrsen, Foswiki:Main.ArthurClemens"}%
+%META:FIELD{name="Home" title="Home" value="http://foswiki.org/Extensions/%TOPIC%"}%
+%META:FIELD{name="License" title="License" value="GPL ([[http://www.gnu.org/copyleft/gpl.html][GNU General Public License]])"}%
+%META:FIELD{name="Release" title="Release" value="%$RELEASE%"}%
+%META:FIELD{name="Repository" title="Repository" value="https://github.com/foswiki/AttachContentPlugin"}%
+%META:FIELD{name="Support" title="Support" value="http://foswiki.org/Support/%TOPIC%"}%
+%META:FIELD{name="Version" title="Version" value="%$VERSION%"}%
diff --git a/lib/Foswiki/Plugins/AttachContentPlugin.pm b/lib/Foswiki/Plugins/AttachContentPlugin.pm
@@ -1,6 +1,6 @@
 # Plugin for Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 #
-# Copyright (c) 2008 Foswiki Contributors
+# Copyright (c) 2015 Foswiki Contributors
 # Copyright (c) 2007,2009 Arthur Clemens
 # Copyright (c) 2006 Meredith Lesly, Kenneth Lavrsen
 # and TWiki Contributors. All Rights Reserved.
@@ -23,16 +23,12 @@ package Foswiki::Plugins::AttachContentPlugin;
 
 # Always use strict to enforce variable scoping
 use strict;
-use Foswiki::Func;
+use warnings;
+use Foswiki::Func ();
+use File::Temp();
 
-# This should always be $Rev: 11069$ so that Foswiki can determine the checked-in
-# status of the plugin. It is used by the build automation tools, so
-# you should leave it alone.
-our $VERSION = '$Rev: 11069$';
-our $RELEASE = '2.3.3';
-
-# Short description of this plugin
-# One line description, is shown in the %SYSTEMWEB%.TextFormattingRules topic:
+our $VERSION = '2.34';
+our $RELEASE = '24 Sep 2015';
 our $SHORTDESCRIPTION  = 'Saves dynamic topic text to an attachment';
 our $NO_PREFS_IN_TOPIC = 1;
 
@@ -78,7 +74,7 @@ sub beforeCommonTagsHandler {
     #my ($text, $topic, $web, $meta ) = @_;
 
     $_[0] =~
-s/%STARTATTACH{(.*?)}%(.*?)%ENDATTACH%/&_handleAttachBeforeRendering($1, $2, $_[2], $_[1])/ges;
+s/%STARTATTACH\{(.*?)\}%(.*?)%ENDATTACH%/&_handleAttachBeforeRendering($1, $2, $_[2], $_[1])/ges;
 }
 
 =pod
@@ -96,6 +92,7 @@ sub _handleAttachBeforeRendering {
       Foswiki::Func::expandCommonVariables( $inAttr, $inTopic, $inWeb );
     my %params = Foswiki::Func::extractParameters($attrs);
     return '' if Foswiki::Func::isTrue( $params{'hidecontent'} );
+    $inContent =~ s/^\s+|\s+$//g;
     return $inContent;
 }
 
@@ -124,7 +121,7 @@ sub afterSaveHandler {
     _debug("sub afterSaveHandler( $_[2].$_[1] )");
 
     $_[0] =~
-s/%STARTATTACH{(.*?)}%(.*?)%ENDATTACH%/&_handleAttach($1, $2, $_[2], $_[1])/ges;
+s/%STARTATTACH\{(.*?)\}%(.*?)%ENDATTACH%/&_handleAttach($1, $2, $_[2], $_[1])/ges;
     $savedAlready = 0;
 
     return;
@@ -150,12 +147,20 @@ sub _handleAttach {
 
     my $web   = $params{'web'}   || $inWeb;
     my $topic = $params{'topic'} || $inTopic;
+    ($web, $topic) = Foswiki::Func::normalizeWebTopicName($web, $topic);
+
+    my $user = Foswiki::Func::getWikiName();
+    unless (Foswiki::Func::checkAccessPermission("CHANGE", $user, undef, $topic, $web)) {
+      _debug("user $user doesn't have change access on $web.$topic");
+      return '';
+    }
+
     my $comment = $params{'comment'}
       || $Foswiki::cfg{Plugins}{AttachContentPlugin}{AttachmentComment};
     my $hide = Foswiki::Func::isTrue( $params{'hide'} );
     my $keepPars =
-      Foswiki::Func::isTrue( $params{'keeppars'}
-          || $Foswiki::cfg{Plugins}{AttachContentPlugin}{KeepPars} );
+      Foswiki::Func::isTrue( $params{'keeppars'}, $Foswiki::cfg{Plugins}{AttachContentPlugin}{KeepPars} );
+
     my $workArea = Foswiki::Func::getWorkArea($pluginName);
 
     ($web)      ? _debug("\t web: $web")           : _debug("\t no web");
@@ -170,8 +175,8 @@ sub _handleAttach {
       Foswiki::Func::sanitizeAttachmentName($attrFileName);
     _debug("\t fileName=$fileName");
 
-    # Temp file in workarea - Filename + 9 digits to avoid race condition
-    my $tempName = $workArea . '/' . $fileName . int( rand(1000000000) );
+    my $fh = File::Temp->new();
+    my $tempName = $fh->filename;
     _debug("\t tempName: $tempName");
 
     # Turn most TML to text
@@ -211,9 +216,6 @@ sub _handleAttach {
         }
     );
 
-    # Delete temporary file
-    unlink($tempName) if ( $tempName && -e $tempName );
-
     return '';
 }
 

diff --git a/lib/Foswiki/Plugins/AttachContentPlugin/Config.spec b/lib/Foswiki/Plugins/AttachContentPlugin/Config.spec
@@ -8,4 +8,6 @@ $Foswiki::cfg{Plugins}{AttachContentPlugin}{Debug} = 0;
 $Foswiki::cfg{Plugins}{AttachContentPlugin}{KeepPars} = 0;
 # **STRING 200**
 # The default comment text that will be added to saved attachments.
-$Foswiki::cfg{Plugins}{AttachContentPlugin}{AttachmentComment} = 'Generated by <nop>AttachContentPlugin';
+$Foswiki::cfg{Plugins}{AttachContentPlugin}{AttachmentComment} = 'Generated by <nop>AttachContentPlugin';
+
+1;
diff --git a/lib/Foswiki/Plugins/AttachContentPlugin/DEPENDENCIES b/lib/Foswiki/Plugins/AttachContentPlugin/DEPENDENCIES
diff --git a/lib/Foswiki/Plugins/AttachContentPlugin/MANIFEST b/lib/Foswiki/Plugins/AttachContentPlugin/MANIFEST
@@ -1,3 +1,3 @@
-data/System/AttachContentPlugin.txt  Plugin doc page
-lib/Foswiki/Plugins/AttachContentPlugin.pm  Plugin Perl module
-lib/Foswiki/Plugins/AttachContentPlugin/Config.spec
+data/System/AttachContentPlugin.txt 0644
+lib/Foswiki/Plugins/AttachContentPlugin/Config.spec 0644
+lib/Foswiki/Plugins/AttachContentPlugin.pm 0644
diff --git a/test/unit/AttachContentPlugin/AttachContentPluginTests.pm b/test/unit/AttachContentPlugin/AttachContentPluginTests.pm
@@ -59,7 +59,7 @@ My content
 after
 HERE
     my $UI_FN = $this->getUIFn('save');
-    Foswiki::Func::saveTopicText( $this->{test_web}, "MyTopic", $testText );
+    Foswiki::Func::saveTopic( $this->{test_web}, "MyTopic", undef, $testText );
     my $query = new Unit::Request(
         {
             action => ['save'],