diff options
-rw-r--r-- | includes/file.inc | 13 | ||||
-rw-r--r-- | modules/upload.module | 3 | ||||
-rw-r--r-- | modules/upload/upload.module | 3 |
3 files changed, 5 insertions, 14 deletions
diff --git a/includes/file.inc b/includes/file.inc index 2c3e8a5ec..1c79f9e82 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -27,11 +27,7 @@ define('FILE_EXISTS_ERROR', 2); * @return A string containing a URL that can be used to download the file. */ function file_create_url($path) { - // strip file_directory_paths from url if present. Prevent ugly and filesystem revealing - // urls like http://example.com/system/files/../../../home/gatsby/private/files - // I think it also keep absolute file_directory_paths working since they would get broken if - // we tried to pass them in the url. - + // Strip file_directory_path from $path. We only include relative paths in urls. if (strpos($path, file_directory_path()) !== false) { $path = trim(substr($path, strlen(file_directory_path())), '\\/'); } @@ -578,14 +574,11 @@ function file_transfer($source, $headers) { */ function file_download() { - //use the remainder of the path to get the file. - //enables 4.7 clean private files paths. + // Merge remainder of arguments from GET['q'], into relative file path. $args = func_get_args(); $filepath = implode('/', $args); - // add the ?file= if it is present. Otherwise we - // break all old nodes with private files displayed - // inline. + // Maintain compatability with old ?file=paths saved in node bodies. if (isset($_GET['file'])) { $filepath = $_GET['file']; } diff --git a/modules/upload.module b/modules/upload.module index 75fc07fa2..46d582400 100644 --- a/modules/upload.module +++ b/modules/upload.module @@ -80,8 +80,7 @@ function upload_menu($may_cache) { foreach ($_SESSION['file_previews'] as $fid => $file) { $filename = file_create_filename($file->filename, file_create_path()); if (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) == FILE_DOWNLOADS_PRIVATE) { - // strip file_directory_path() from filepath - // to hide relative paths in url. see file_create_url + // strip file_directory_path() from filename. @see file_create_url if (strpos($filename, file_directory_path()) !== false) { $filename = trim(substr($filename, strlen(file_directory_path())), '\\/'); } diff --git a/modules/upload/upload.module b/modules/upload/upload.module index 75fc07fa2..46d582400 100644 --- a/modules/upload/upload.module +++ b/modules/upload/upload.module @@ -80,8 +80,7 @@ function upload_menu($may_cache) { foreach ($_SESSION['file_previews'] as $fid => $file) { $filename = file_create_filename($file->filename, file_create_path()); if (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) == FILE_DOWNLOADS_PRIVATE) { - // strip file_directory_path() from filepath - // to hide relative paths in url. see file_create_url + // strip file_directory_path() from filename. @see file_create_url if (strpos($filename, file_directory_path()) !== false) { $filename = trim(substr($filename, strlen(file_directory_path())), '\\/'); } |