Index: branches/5.2.x/core/kernel/db/db_event_handler.php =================================================================== diff -u -N -r15268 -r15345 --- branches/5.2.x/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 15268) +++ branches/5.2.x/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 15345) @@ -1,6 +1,6 @@ Application->isAdmin ) { + $value = array_map('htmlspecialchars_decode', $value); + } + $tmp_path = WRITEABLE . '/tmp/'; $fname = $value['name']; $id = $this->Application->GetVar('id'); @@ -3232,8 +3236,13 @@ protected function OnDeleteFile(kEvent $event) { $event->status = kEvent::erSTOP; + $filename = $this->Application->GetVar('file'); - if ( strpos($this->Application->GetVar('file'), '../') !== false ) { + if ( !$this->Application->isAdmin ) { + $filename = htmlspecialchars_decode($filename); + } + + if ( strpos($filename, '../') !== false ) { return; } @@ -3243,7 +3252,7 @@ $var_name = $this->_getPendingActionVariableName($event); $schedule = $this->Application->RecallVar($var_name); $schedule = $schedule ? unserialize($schedule) : Array (); - $schedule[] = Array ('action' => 'delete', 'file' => FULL_PATH . $options['upload_dir'] . $this->Application->GetVar('file')); + $schedule[] = Array ('action' => 'delete', 'file' => FULL_PATH . $options['upload_dir'] . $filename); $this->Application->StoreVar($var_name, serialize($schedule)); } @@ -3259,6 +3268,11 @@ $event->status = kEvent::erSTOP; $file = $this->Application->GetVar('file'); + + if ( !$this->Application->isAdmin ) { + $file = htmlspecialchars_decode($file); + } + if ( (strpos($file, '../') !== false) || (trim($file) !== $file) ) { // when relative paths or special chars are found template names from url, then it's hacking attempt return;