From 2627b392e0c6a593166e4f5b048b48fc8a950d6d Mon Sep 17 00:00:00 2001
From: "vit.jonas@gmail.com"
 <vit.jonas@gmail.com@5e329b0b-a2ee-ea63-e329-299493fc886d>
Date: Sun, 18 Sep 2011 08:28:59 +0000
Subject: [PATCH] * fixed Issue 144: Path traversal access

git-svn-id: http://redmine-dmsf.googlecode.com/svn/trunk/redmine_dmsf@234 5e329b0b-a2ee-ea63-e329-299493fc886d
---
 app/controllers/dmsf_upload_controller.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/dmsf_upload_controller.rb b/app/controllers/dmsf_upload_controller.rb
index 8dfb2077..b13c7c29 100644
--- a/app/controllers/dmsf_upload_controller.rb
+++ b/app/controllers/dmsf_upload_controller.rb
@@ -93,8 +93,8 @@ class DmsfUploadController < ApplicationController
           new_revision.minor_version = last_revision.minor_version
           new_revision.workflow = last_revision.workflow
         end
-        
-        commited_disk_filepath = "#{DmsfHelper.temp_dir}/#{commited_file["disk_filename"]}"
+
+        commited_disk_filepath = "#{DmsfHelper.temp_dir}/#{commited_file["disk_filename"].gsub(/[\/\\]/,'')}"
         
         new_revision.folder = @folder
         new_revision.file = file