Uses safer path for email_to_user

lsuits · May 24, 2012 · 200fb2e · 200fb2e
1 parent 65e8e67
commit 200fb2e
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## v1.2.7
+
+- Block now uses icons correctly [213ed0][213ed0]
+- Uses the correct zip in attachments
+
+[213ed0]: https://github.com/lsuits/quickmail/commit/213ed09b58a065608d81df83005dccd4f8b6714d
+
 ## v1.2.6
 
 - Now uses $CFG->tempdir for the temp directory [741a64][741a64]
@@ -10,7 +17,7 @@
 
 - Receive copy default setting [#31][31]
 - Empty Signature defaults [#30][30]
-- Increase Subject line [45a80cf][45a80cf] 
+- Increase Subject line [45a80cf][45a80cf]
 
 [31]: https://github.com/lsuits/quickmail/issues/31
 [30]: https://github.com/lsuits/quickmail/issues/30

diff --git a/email.php b/email.php
@@ -272,7 +272,7 @@
                     strip_tags($data->message), $data->message, $zip, $zipname);
             }
 
-            if (!empty($zip)) {
+            if (!empty($actual_zip)) {
                 unlink($actual_zip);
             }
         }

diff --git a/lib.php b/lib.php
@@ -75,9 +75,11 @@ static function process_attachments($context, $email, $table, $id) {
 
         if (!empty($email->attachment)) {
             $zipname = "attachment.zip";
-            $zip = "temp/$base_path/$zipname";
             $actual_zip = "$moodle_base/$zipname";
 
+            $safe_path = preg_replace('/\//', "\\/", $CFG->dataroot);
+            $zip = preg_replace("/$safe_path\\//", '', $actual_zip);
+
             $packer = get_file_packer();
             $fs = get_file_storage();