BUGFIX Fixed SQL injection in Folder::findOrMake() parameter. Exploit…

…able through Upload::, although unlikely to be set via user input.

filesystem/Folder.php

@@ -42,7 +42,14 @@ static function findOrMake($folderPath) {
 		$item = null;
 		foreach($parts as $part) {
 			if(!$part) continue; // happens for paths with a trailing slash
-			$item = DataObject::get_one("Folder", "\"Name\" = '$part' AND \"ParentID\" = $parentID");
+			$item = DataObject::get_one(
+				"Folder", 
+				sprintf(
+					"\"Name\" = '%s' AND \"ParentID\" = %d",
+					Convert::raw2sql($part), 
+					(int)$parentID
+				)
+			);
 			if(!$item) {
 				$item = new Folder();
 				$item->ParentID = $parentID;