From: Art Cancro <ajc@citadel.org>
Date: Tue, 19 Sep 2023 20:26:13 +0000 (-0400)
Subject: Attachments now download with the appropriate filename.
X-Git-Tag: v995~16
X-Git-Url: https://code.citadel.org/?a=commitdiff_plain;h=c2ac0b3ac4f6bb51ee20ca60cdc1f0ddf2235436;p=citadel.git

Attachments now download with the appropriate filename.

This was accomplished by disregarding any REST components to the right of
the part number, allowing the filename to be placed there.  The filename is
sanitized to prevent script injection.
---

diff --git a/webcit-ng/api.txt b/webcit-ng/api.txt
index 67e13b4a2..3182f4c20 100644
--- a/webcit-ng/api.txt
+++ b/webcit-ng/api.txt
@@ -13,6 +13,7 @@ GET             /ctdl/r/ROOMNAME/mailbox        JSON dictionary of a mailbox sum
 GET             /ctdl/r/ROOMNAME/stat           JSON dictionary of the server STAT command (room name and modification time)
 GET             /ctdl/r/ROOMNAME/MSGNUM         Retrieve the content of an individual message
 GET             /ctdl/r/ROOMNAME/MSGNUM/json    Retrieve an individual message in a room, encapsulated in JSON
+GET             /ctdl/r/ROOMNAME/MSGNUM/<part>  Retrieve a MIME component of a message, specified by partnum
 DELETE          /ctdl/r/ROOMNAME/MSGNUM         Deletes a message from a room
 MOVE            /ctdl/r/ROOMNAME/MSGNUM         Moves a message to another room (requires Destination)
 
diff --git a/webcit-ng/server/room_functions.c b/webcit-ng/server/room_functions.c
index 92ed577e8..1b5d9335b 100644
--- a/webcit-ng/server/room_functions.c
+++ b/webcit-ng/server/room_functions.c
@@ -262,7 +262,7 @@ void object_in_room(struct http_transaction *h, struct ctdlsession *c) {
 	// A sixth component in the URL can be one of two things:
 	// (1) a MIME part specifier, in which case the client wants to download that component within the message
 	// (2) a content-type, in which ase the client wants us to try to render it a certain way
-	if (num_tokens(h->url, '/') == 6) {
+	if (num_tokens(h->url, '/') >= 6) {
 		extract_token(buf, h->url, 5, '/', sizeof buf);
 		if (!IsEmptyStr(buf)) {
 			if (!strcasecmp(buf, "json")) {
@@ -679,7 +679,7 @@ void ctdl_r(struct http_transaction *h, struct ctdlsession *c) {
 		}
 		return;
 	}
-	if (num_tokens(h->url, '/') == 6) {
+	if (num_tokens(h->url, '/') >= 6) {
 		object_in_room(h, c);	//      /ctdl/r/roomname/object/ or possibly /ctdl/r/roomname/object/component
 		return;
 	}
diff --git a/webcit-ng/static/js/view_mail.js b/webcit-ng/static/js/view_mail.js
index 0c7052cb7..0b6cf8ce4 100644
--- a/webcit-ng/static/js/view_mail.js
+++ b/webcit-ng/static/js/view_mail.js
@@ -217,7 +217,7 @@ function mail_render_one(msgnum, msg, target_div, include_controls) {
 					}
 					display_attachments += 1;
 					outmsg += "<li>"
-						+ "<a href=\"/ctdl/r/" + escapeHTMLURI(current_room) + "/" + msgnum + "/" + msg.part[r].partnum + "\">"
+						+ "<a href=\"/ctdl/r/" + escapeHTMLURI(current_room) + "/" + msgnum + "/" + msg.part[r].partnum + "/" + escapeHTMLURI(msg.part[r].filename) + "\">"
 						+ "<i class=\"fa fa-paperclip\"></i>&nbsp;" + msg.part[r].partnum + ": " + msg.part[r].filename
 						+ " (" + msg.part[r].len + " " + _("bytes") + ")"
 						+ "</a>"