diff options
| author | Dries Buytaert <dries@buytaert.net> | 2010-08-20 01:21:14 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2010-08-20 01:21:14 +0000 |
| commit | 317b9b4e0ca3d620abec0fe0f16ed0c691996dec (patch) | |
| tree | dac0bb09036781fa7a6b6f9302fe2b91212feae9 /modules/file | |
| parent | f8952b675c8df8610e43f440bbfe48bd24dcc3cb (diff) | |
| download | brdo-317b9b4e0ca3d620abec0fe0f16ed0c691996dec.tar.gz brdo-317b9b4e0ca3d620abec0fe0f16ed0c691996dec.tar.bz2 | |
- Patch #881578 by Gábor Hojtsy, scor: solve SA-CORE-2010-002 issues.
Diffstat (limited to 'modules/file')
| -rw-r--r-- | modules/file/file.module | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/modules/file/file.module b/modules/file/file.module index 0340eb059..445dc624d 100644 --- a/modules/file/file.module +++ b/modules/file/file.module @@ -125,9 +125,16 @@ function file_file_download($uri, $field_type = 'file') { // Get the file record based on the URI. If not in the database just return. $files = file_load_multiple(array(), array('uri' => $uri)); if (count($files)) { - $file = reset($files); + foreach ($files as $item) { + // Since some database servers sometimes use a case-insensitive comparison + // by default, double check that the filename is an exact match. + if ($item->uri === $uri) { + $file = $item; + break; + } + } } - else { + if (!isset($file)) { return; } |