Fixed security issues in file uploads.

[fa-stable.git] / admin / attachments.php

diff --git a/admin/attachments.php b/admin/attachments.php
index 9540327a47a2aab99751be678356a287e9e4774b..2f41d80c14cc15cef973f5dedb2e4b3b0b1232e9 100644 (file)
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -108,7 +108,10 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
                // protect against directory traversal
                if ($Mode == 'UPDATE_ITEM')
                {
-                       $unique_name = preg_replace('/[^a-zA-Z0-9.\-_]/', '', $_POST['unique_name']);
+                   $row = get_attachment($selected_id);
+                   if ($row['filename'] == "")
+                       exit();
+                       $unique_name = $row['unique_name'];
                        if ($filename && file_exists($dir."/".$unique_name))
                                unlink($dir."/".$unique_name);
                }