From bf95d0dbdf6c214c69542a3cacdd3a689ba2f161 Mon Sep 17 00:00:00 2001
From: "matthieu.rolland" <matthieu.rolland@prestashop.com>
Date: Tue, 6 Jun 2023 17:36:37 +0200
Subject: [PATCH] keep file name from containing path traversal

---
 classes/Attachment.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/Attachment.php b/classes/Attachment.php
index b6874720d5fa1..1f4e73d18dd48 100644
--- a/classes/Attachment.php
+++ b/classes/Attachment.php
@@ -111,7 +111,7 @@ public function update($nullValues = false)
     public function delete()
     {
         if (file_exists(_PS_DOWNLOAD_DIR_ . $this->file)) {
-            @unlink(_PS_DOWNLOAD_DIR_ . $this->file);
+            @unlink(_PS_DOWNLOAD_DIR_ . basename($this->file));
         }
 
         $sql = new DbQuery();