diff options
author | Gerhard Killesreiter <killes_www_drop_org@227.no-reply.drupal.org> | 2006-03-29 06:49:25 +0000 |
---|---|---|
committer | Gerhard Killesreiter <killes_www_drop_org@227.no-reply.drupal.org> | 2006-03-29 06:49:25 +0000 |
commit | 4797222c13e31d49ef389d4cdb2ca30290d341db (patch) | |
tree | 924c6ce3f4160f4a37d68589fa2dafd469633e49 /includes | |
parent | 8447307ed22f756779bd39a8e38a9ae19632ccb6 (diff) | |
download | brdo-4797222c13e31d49ef389d4cdb2ca30290d341db.tar.gz brdo-4797222c13e31d49ef389d4cdb2ca30290d341db.tar.bz2 |
#55520, upload.module does not display previews for when private files are enabled, patch by dopry.
Diffstat (limited to 'includes')
-rw-r--r-- | includes/file.inc | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/includes/file.inc b/includes/file.inc index eccdb2fc7..2c3e8a5ec 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -27,6 +27,11 @@ define('FILE_EXISTS_ERROR', 2); * @return A string containing a URL that can be used to download the file. */ function file_create_url($path) { + // strip file_directory_paths from url if present. Prevent ugly and filesystem revealing + // urls like http://example.com/system/files/../../../home/gatsby/private/files + // I think it also keep absolute file_directory_paths working since they would get broken if + // we tried to pass them in the url. + if (strpos($path, file_directory_path()) !== false) { $path = trim(substr($path, strlen(file_directory_path())), '\\/'); } @@ -34,7 +39,7 @@ function file_create_url($path) { case FILE_DOWNLOADS_PUBLIC: return $GLOBALS['base_url'] .'/'. file_directory_path() .'/'. str_replace('\\', '/', $path); case FILE_DOWNLOADS_PRIVATE: - return url('system/files', 'file='. $path, NULL, TRUE); + return url('system/files/'. $path, NULL, NULL, TRUE); } } @@ -573,7 +578,17 @@ function file_transfer($source, $headers) { */ function file_download() { - $filepath = $_GET['file']; + //use the remainder of the path to get the file. + //enables 4.7 clean private files paths. + $args = func_get_args(); + $filepath = implode('/', $args); + + // add the ?file= if it is present. Otherwise we + // break all old nodes with private files displayed + // inline. + if (isset($_GET['file'])) { + $filepath = $_GET['file']; + } if (file_exists(file_create_path($filepath))) { $headers = module_invoke_all('file_download', $filepath); |