bachir/popsu-d7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security upadtes

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2017-09-25 15:16:35 +02:00
parent 650c6448e4
commit 8d8a60b615
240 changed files with 3022 additions and 1300 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
modules/file/file.module
View File

@@ -146,8 +146,9 @@ function file_file_download($uri, $field_type = 'file') {
// headers for files controlled by other modules. Make an exception for
// temporary files where the host entity has not yet been saved (for example,
// an image preview on a node/add form) in which case, allow download by the
// file's owner.
if (empty($references) && ($file->status == FILE_STATUS_PERMANENT || $file->uid != $user->uid)) {
// file's owner. For anonymous file owners, only the browser session that
// uploaded the file should be granted access.
if (empty($references) && ($file->status == FILE_STATUS_PERMANENT || $file->uid != $user->uid || (!$user->uid && empty($_SESSION['anonymous_allowed_file_ids'][$file->fid])))) {
return;
}
@@ -283,7 +284,7 @@ function file_ajax_upload() {
$form['#prefix'] .= theme('status_messages');
$output = drupal_render($form);
$js = drupal_add_js();
$settings = call_user_func_array('array_merge_recursive', $js['settings']['data']);
$settings = drupal_array_merge_deep_array($js['settings']['data']);
$commands[] = ajax_command_replace(NULL, $output, $settings);
return array('#type' => 'ajax', '#commands' => $commands);