Fixed potential security exploit.

git-svn-id: https://plugins.svn.wordpress.org/secure-files/trunk@3641 b8457f37-d9ea-0310-8a92-e5e31aec5664
wp-plugins · Oct 3, 2005 · cab025e · cab025e
1 parent b1afc06
commit cab025e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/secure-files.php b/secure-files.php
@@ -4,7 +4,7 @@
 Plugin URI: http://www.almosteffortless.com/wordpress/
 Description: This plugin allows you to upload and download files from outside of your web document root for security purposes. When used in conjunction with a plugin that requires a user to be logged in to see your site, you can restrict file downloads to users that are logged in. It can be found in Manage -> Secure Files.
 Author: Trevor Turk
-Version: 1.1
+Version: 1.2
 Author URI: http://www.almosteffortless.com/
 */ 
 
@@ -67,7 +67,7 @@ function sf_downloads() {
 		if (isset($_GET["$sf_prefix"])) {
 			$downloadfile = $_GET["$sf_prefix"];
 			$sf_directory = get_option('sf_directory');
-			$downloadfile = $sf_directory . $downloadfile;
+			$downloadfile = $sf_directory . basename($downloadfile);
 			if (is_file($downloadfile)) {
 				header('Content-Description: File Transfer'); 
 				header('Content-Type: application/force-download');