1.1 --- a/s4-blog.sh	Sat Jun 15 14:32:50 2019 +0900
     1.2 +++ b/s4-blog.sh	Sat Jun 15 14:33:39 2019 +0900
     1.3 @@ -649,7 +649,8 @@
     1.4  }
     1.5  gethandout() {
     1.6    # $1=rowid of blog
     1.7 -  blog_writable $1 $user
     1.8 +  rid=`numericalize "$1"`
     1.9 +  blog_writable $rid $user
    1.10    rc=$?		# =0: writable, $BLOG_NOTMEM bit set => not member
    1.11    if [ $((rc & $BLOG_NOTMEM)) -gt 0 ] ; then
    1.12      echo "メンバー以外は利用できません。" | html p; return
    1.13 @@ -658,7 +659,7 @@
    1.14    bd=$tmpd/archive.$$
    1.15    mkdir $bd
    1.16    query "select m.rowid,author,m.val from article a join article_m m\
    1.17 -	 on a.id=m.id where blogid=(select id from blog where rowid=$1)\
    1.18 +	 on a.id=m.id where blogid=(select id from blog where rowid=$rid)\
    1.19  	 and m.key in ('image', 'document', 'binary');" \
    1.20        | while IFS='|' read rowid author filename; do
    1.21  	  err isfilereadable $user article_m $rowid
    1.22 @@ -986,7 +987,7 @@
    1.23  
    1.24  blog_addentry() {
    1.25    # $1=GRPname(if it is a group)
    1.26 -  grprowid=$1
    1.27 +  grprowid=`numericalize $1`
    1.28    rowid=`getpar rowid`
    1.29    ## err blog_addentry0: rowid=$rowid
    1.30    if [ -n "$grprowid" ]; then
    1.31 @@ -994,7 +995,7 @@
    1.32    else
    1.33      owner=`getpar owner`
    1.34    fi
    1.35 -  err blog-add: \$1=$1 rowid=$rowid owner=$owner
    1.36 +  err blog-add: \$1=$grprowid rowid=$rowid owner=$owner
    1.37    if isgroup "$owner"; then
    1.38      groupmode=1 listing=$owner guide="[${owner}]" GF_OWNER=$owner
    1.39    else
    1.40 @@ -1047,7 +1048,7 @@
    1.41  }
    1.42  
    1.43  blog_reply() {		# Posting to blog article
    1.44 -  rowid=$1
    1.45 +  rowid=`numericalize $1`	# Ensure (already purified in s4.cgi)
    1.46  
    1.47    if [ -z "$rowid" ]; then
    1.48      echo "表示する日記番号が未指定です。" | html p