Contacts: Make tmp file cleaup a bit safer.

author Thomas Tanghus <thomas@tanghus.net>

Mon, 4 Jun 2012 11:38:11 +0000 (13:38 +0200)

committer Thomas Tanghus <thomas@tanghus.net>

Mon, 4 Jun 2012 11:38:37 +0000 (13:38 +0200)
author Thomas Tanghus <thomas@tanghus.net>
Mon, 4 Jun 2012 11:38:11 +0000 (13:38 +0200)
committer Thomas Tanghus <thomas@tanghus.net>
Mon, 4 Jun 2012 11:38:37 +0000 (13:38 +0200)
diff --git a/apps/contacts/ajax/cleanupphoto.php b/apps/contacts/ajax/cleanupphoto.php

index 6fd2c351565018b9528f4acb91d52fe0c532d18d..2bb4bd65846def82f93edb02281fef221440b4c3 100644 (file)
--- a/apps/contacts/ajax/cleanupphoto.php
+++ b/apps/contacts/ajax/cleanupphoto.php
@@ -17,9 +17,6 @@
   *
   * You should have received a copy of the GNU Affero General Public
   * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
- *
- * TODO: Translatable strings.
- *       Remember to delete tmp file at some point.
   */
  // Check if we are a user
  OCP\JSON::checkLoggedIn();
@@ -30,7 +27,7 @@ $tmp_path = isset($_POST['tmp_path']) ? $_POST['tmp_path'] : '';
  // give some time to save the photo
  sleep(5);
  
-if($tmp_path != '' && file_exists($tmp_path)) {
+if($tmp_path != '' && file_exists($tmp_path) && !is_dir($tmp_path) && dirname($tmp_path)==get_temp_dir()) {
         unlink($tmp_path);
         OCP\JSON::success();
         exit();
@@ -38,4 +35,3 @@ if($tmp_path != '' && file_exists($tmp_path)) {
         error_log('Couldn\'t find: '.$tmp_path);
         OCP\JSON::error();
  }
-?>
author	Thomas Tanghus <thomas@tanghus.net>
	Mon, 4 Jun 2012 11:38:11 +0000 (13:38 +0200)
committer	Thomas Tanghus <thomas@tanghus.net>
	Mon, 4 Jun 2012 11:38:37 +0000 (13:38 +0200)