diff options
| author | Dries Buytaert <dries@buytaert.net> | 2010-08-17 21:31:13 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2010-08-17 21:31:13 +0000 |
| commit | 2d3af8fe80715bb8b682f00272e731619d3102a8 (patch) | |
| tree | 6e5bf36733e4b8d70af8afd24310694d4d0aabaf /includes | |
| parent | 946a8d5967f30282b5fc899ee4ea7ae3708d9398 (diff) | |
| download | brdo-2d3af8fe80715bb8b682f00272e731619d3102a8.tar.gz brdo-2d3af8fe80715bb8b682f00272e731619d3102a8.tar.bz2 | |
- Patch #829822 by pwolanin, tstoeckler: check Drupal 7 core for vulnerabilities in SA-CONTRIB-2010-066.
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/file.inc | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/includes/file.inc b/includes/file.inc index 36e7893ed..0d4af7693 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -331,9 +331,9 @@ function file_stream_wrapper_get_instance_by_scheme($scheme) { * * @return * A string containing a URL that may be used to access the file. - * If the provided string already contains a preceding 'http', nothing is done - * and the same string is returned. If a valid stream wrapper could not be - * found to generate an external URL, then FALSE will be returned. + * If the provided string already contains a preceding 'http', 'https', or + * '/', nothing is done and the same string is returned. If a stream wrapper + * could not be found to generate an external URL, then FALSE is returned. */ function file_create_url($uri) { // Allow the URI to be altered, e.g. to serve a file from a CDN or static @@ -355,8 +355,8 @@ function file_create_url($uri) { } else { // If this is not a properly formatted stream, then it is a shipped file. - // Therefor, return the URI with the base URL prepended. - return $GLOBALS['base_url'] . '/' . $uri; + // Therefore, return the urlencoded URI with the base URL prepended. + return $GLOBALS['base_url'] . '/' . drupal_encode_path($uri); } } elseif ($scheme == 'http' || $scheme == 'https') { |