Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixes #600, avoid html in web uploaded filenames
  • Loading branch information
plegall committed Jan 27, 2017
1 parent 746c796 commit 6ec3f2d
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
2 changes: 1 addition & 1 deletion action.php
Expand Up @@ -216,7 +216,7 @@ function do_error( $code, $str )

if (isset($_GET['download']))
{
$http_headers[] = 'Content-Disposition: attachment; filename="'.$element_info['file'].'";';
$http_headers[] = 'Content-Disposition: attachment; filename="'.htmlspecialchars_decode($element_info['file']).'";';
$http_headers[] = 'Content-Transfer-Encoding: binary';
}
else
Expand Down
5 changes: 5 additions & 0 deletions admin/include/functions_upload.inc.php
Expand Up @@ -161,6 +161,11 @@ function add_uploaded_file($source_filepath, $original_filename=null, $categorie

global $conf, $user;

if (!is_null($original_filename))
{
$original_filename = htmlspecialchars($original_filename);
}

if (isset($original_md5sum))
{
$md5sum = $original_md5sum;
Expand Down

0 comments on commit 6ec3f2d

Please sign in to comment.