From 9ef891858ca6ccf4213c5981868c6175cb2cde47 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 30 Jan 2013 18:45:49 -0500
Subject: Protect admins from themselves - in case an admin changed the
 watermark.name setting to something terrible by accident via Admin >
 Advanced, we'll just use the basename.  Fixes #1977.

---
 modules/watermark/controllers/admin_watermarks.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/watermark/controllers/admin_watermarks.php b/modules/watermark/controllers/admin_watermarks.php
index 1cc0c392..2d656c9f 100644
--- a/modules/watermark/controllers/admin_watermarks.php
+++ b/modules/watermark/controllers/admin_watermarks.php
@@ -66,7 +66,7 @@ class Admin_Watermarks_Controller extends Admin_Controller {
 
     $form = watermark::get_delete_form();
     if ($form->validate()) {
-      if ($name = module::get_var("watermark", "name")) {
+      if ($name = basename(module::get_var("watermark", "name"))) {
         @unlink(VARPATH . "modules/watermark/$name");
 
         module::clear_var("watermark", "name");
-- 
cgit v1.2.3