Commit 4797222c authored by Gerhard Killesreiter's avatar Gerhard Killesreiter
Browse files

#55520, upload.module does not display previews for when private files are enabled, patch by dopry.

parent 8447307e
......@@ -27,6 +27,11 @@
* @return A string containing a URL that can be used to download the file.
*/
function file_create_url($path) {
// strip file_directory_paths from url if present. Prevent ugly and filesystem revealing
// urls like http://example.com/system/files/../../../home/gatsby/private/files
// I think it also keep absolute file_directory_paths working since they would get broken if
// we tried to pass them in the url.
if (strpos($path, file_directory_path()) !== false) {
$path = trim(substr($path, strlen(file_directory_path())), '\\/');
}
......@@ -34,7 +39,7 @@ function file_create_url($path) {
case FILE_DOWNLOADS_PUBLIC:
return $GLOBALS['base_url'] .'/'. file_directory_path() .'/'. str_replace('\\', '/', $path);
case FILE_DOWNLOADS_PRIVATE:
return url('system/files', 'file='. $path, NULL, TRUE);
return url('system/files/'. $path, NULL, NULL, TRUE);
}
}
......@@ -573,7 +578,17 @@ function file_transfer($source, $headers) {
*/
function file_download() {
$filepath = $_GET['file'];
//use the remainder of the path to get the file.
//enables 4.7 clean private files paths.
$args = func_get_args();
$filepath = implode('/', $args);
// add the ?file= if it is present. Otherwise we
// break all old nodes with private files displayed
// inline.
if (isset($_GET['file'])) {
$filepath = $_GET['file'];
}
if (file_exists(file_create_path($filepath))) {
$headers = module_invoke_all('file_download', $filepath);
......
......@@ -79,6 +79,15 @@ function upload_menu($may_cache) {
if ($_SESSION['file_previews']) {
foreach ($_SESSION['file_previews'] as $fid => $file) {
$filename = file_create_filename($file->filename, file_create_path());
if (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) == FILE_DOWNLOADS_PRIVATE) {
// strip file_directory_path() from filepath
// to hide relative paths in url. see file_create_url
if (strpos($filename, file_directory_path()) !== false) {
$filename = trim(substr($filename, strlen(file_directory_path())), '\\/');
}
$filename = 'system/files/' . $filename;
}
$items[] = array(
'path' => $filename, 'title' => t('file download'),
'callback' => 'upload_download',
......
......@@ -79,6 +79,15 @@ function upload_menu($may_cache) {
if ($_SESSION['file_previews']) {
foreach ($_SESSION['file_previews'] as $fid => $file) {
$filename = file_create_filename($file->filename, file_create_path());
if (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC) == FILE_DOWNLOADS_PRIVATE) {
// strip file_directory_path() from filepath
// to hide relative paths in url. see file_create_url
if (strpos($filename, file_directory_path()) !== false) {
$filename = trim(substr($filename, strlen(file_directory_path())), '\\/');
}
$filename = 'system/files/' . $filename;
}
$items[] = array(
'path' => $filename, 'title' => t('file download'),
'callback' => 'upload_download',
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment