Fixed filename not being sent through sanitize_page_id() during upload. Non-security.
--- a/plugins/SpecialUpdownload.php Sat Nov 08 22:32:43 2008 -0500
+++ b/plugins/SpecialUpdownload.php Sat Nov 08 22:33:26 2008 -0500
@@ -118,7 +118,7 @@
$utime = time();
- $filename = $db->escape($filename);
+ $filename = $db->escape(sanitize_page_id($filename));
$ext = substr($filename, strrpos($filename, '.'), strlen($filename));
$flen = filesize($file['tmp_name']);
@@ -219,7 +219,8 @@
{
$tid = '';
}
- $filename = $db->escape($filename);
+ $filename = $db->escape(sanitize_page_id($filename));
+
$q = $db->sql_query('SELECT page_id,size,mimetype,time_id,file_extension,file_key FROM '.table_prefix.'files WHERE filename=\''.$filename.'\''.$tid.' ORDER BY time_id DESC;');
if ( !$q )
{