Fixed transaction date check messages.

[fa-stable.git] / admin / attachments.php

diff --git a/admin/attachments.php b/admin/attachments.php
index 30090517cdaad37bf38926089c87d3674c338cd1..1ad50d699fe81d4d51bd91b163f0eba960514dab 100644 (file)
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -94,13 +94,16 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
                        fwrite($fp, $index_file);
                        fclose($fp);
                }
-               if ($Mode == 'UPDATE_ITEM' && file_exists($dir."/".$_POST['unique_name']))
-                       unlink($dir."/".$_POST['unique_name']);
+               // file name compatible with POSIX
+               // protect against directory traversal
+               $unique_name = preg_replace('/[^a-zA-Z0-9.\-_]/', '', $_POST['unique_name']);
+               if ($Mode == 'UPDATE_ITEM' && file_exists($dir."/".$unique_name))
+                       unlink($dir."/".$unique_name);
 
                $unique_name = uniqid('');
                move_uploaded_file($tmpname, $dir."/".$unique_name);
                //save the file
-               $filename = $_FILES['filename']['name'];
+               $filename = basename($_FILES['filename']['name']);
                $filesize = $_FILES['filename']['size'];
                $filetype = $_FILES['filename']['type'];
        }