diff options
author | David Rothstein <drothstein@gmail.com> | 2016-02-24 14:26:52 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2016-02-24 14:26:52 -0500 |
commit | 7b2dc7936e2566c711159f75634cbb60ddacb340 (patch) | |
tree | 9fdf1d34a03ec83b95a4fbcced22bb1b599f76d0 /modules/file/file.module | |
parent | b8d9c44f83eca57039f648a0edb0f369f8d3e6b4 (diff) | |
download | brdo-7b2dc7936e2566c711159f75634cbb60ddacb340.tar.gz brdo-7b2dc7936e2566c711159f75634cbb60ddacb340.tar.bz2 |
Drupal 7.43 (SA-CORE-2016-001) by agerard, Alan Evans, benjy, berdir, catch, Damien Tournoud, DamienMcKenna, Dave Cohen, Dave Reid, David_Rothstein, dsnopek, effulgentsia, FengWen, fgm, fnqgpc, greggles, Gábor Hojtsy, Juho Nurminen 2NS, klausi, larowlan, nagba, Pere Orga, plach, pwolanin, quicksketch, rickmanelius, scor, stefan.r, StryKaizer, YesCT
Diffstat (limited to 'modules/file/file.module')
-rw-r--r-- | modules/file/file.module | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/modules/file/file.module b/modules/file/file.module index fbf8b81ec..9e091af03 100644 --- a/modules/file/file.module +++ b/modules/file/file.module @@ -529,14 +529,19 @@ function file_managed_file_value(&$element, $input = FALSE, $form_state = NULL) // publicly accessible, with no download restrictions; for security // reasons all other schemes must go through the file_download_access() // check. - if (in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) || file_download_access($file->uri)) { - $fid = $file->fid; + if (!in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) && !file_download_access($file->uri)) { + $force_default = TRUE; } - // If the current user doesn't have access, don't let the file be - // changed. - else { + // Temporary files that belong to other users should never be allowed. + // Since file ownership can't be determined for anonymous users, they + // are not allowed to reuse temporary files at all. + elseif ($file->status != FILE_STATUS_PERMANENT && (!$GLOBALS['user']->uid || $file->uid != $GLOBALS['user']->uid)) { $force_default = TRUE; } + // If all checks pass, allow the file to be changed. + else { + $fid = $file->fid; + } } } } |