Index: branches/unlabeled/unlabeled-1.85.2/core/kernel/db/db_event_handler.php
===================================================================
diff -u -r8202 -r8215
--- branches/unlabeled/unlabeled-1.85.2/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 8202)
+++ branches/unlabeled/unlabeled-1.85.2/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 8215)
@@ -1100,6 +1100,8 @@
 		{
 			$this->setTempWindowID($event);
 			$this->StoreSelectedIDs($event);
+			$var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid');
+			$this->Application->RemoveVar($var_name);
 
 			$temp =& $this->Application->recallObject($event->getPrefixSpecial().'_TempHandler', 'kTempTablesHandler');
 			/* @var $temp kTempTablesHandler */
@@ -1124,6 +1126,17 @@
 
 				if (!$this->Application->CheckPermission('SYSTEM_ACCESS.READONLY', 1)) {
 					$live_ids = $temp->SaveEdit($event->getEventParam('master_ids') ? $event->getEventParam('master_ids') : Array());
+
+					// Deleteing files scheduled for delete
+					$var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid');
+					$schedule = $this->Application->RecallVar($var_name);
+					$schedule = $schedule ? unserialize($schedule) : array();
+					foreach ($schedule as $data) {
+						if ($data['action'] == 'delete') {
+							unlink($data['file']);
+						}
+					}
+
 					if ($live_ids) {
 						// ensure, that newly created item ids are avalable as if they were selected from grid
 						// NOTE: only works if main item has subitems !!!
@@ -2095,12 +2108,16 @@
 		 */
 		function OnDeleteFile(&$event)
 		{
-			$var_name = $event->getPrefixSpecial().'_file_pending_actions';
+			if (strpos($this->Application->GetVar('file'), '../') !== false) return ;
+			$object =& $event->getObject(array('skip_autoload'=>true));
+			$options = $object->GetFieldOptions($this->Application->GetVar('field'));
+
+			$var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid');
 			$schedule = $this->Application->RecallVar($var_name);
 			$schedule = $schedule ? unserialize($schedule) : array();
-			$schedule[] = array('action'=>'delete', 'file'=>$this->Application->GetVar('file'));
+			$schedule[] = array('action'=>'delete', 'file'=>$path = FULL_PATH.$options['upload_dir'].$this->Application->GetVar('file'));
 			$this->Application->StoreVar($var_name, serialize($schedule));
-			exit;
+			$this->Application->Session->SaveData();
 		}
 
 		/**
@@ -2110,6 +2127,7 @@
 		 */
 		function OnViewFile(&$event)
 		{
+			if (strpos($this->Application->GetVar('file'), '../') !== false) return ;
 			if ($this->Application->GetVar('tmp')) {
 				$path = WRITEABLE.'/tmp/'.$this->Application->GetVar('id').'_'.$this->Application->GetVar('file');
 			}