Index: plugins/FeedsParser.inc
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/feeds/plugins/FeedsParser.inc,v
retrieving revision 1.17
diff -u -r1.17 FeedsParser.inc
--- plugins/FeedsParser.inc	28 Jul 2010 21:12:43 -0000	1.17
+++ plugins/FeedsParser.inc	3 Sep 2010 19:02:03 -0000
@@ -163,6 +163,11 @@
   }
 
   /**
+   * Return the path to a file that contains the enclosed content (e. g. an mp3
+   * file). If the enclosure contains a relative path it assumes that it is
+   * relative to the site's files directory under feeds/ (e. g.
+   * sites/defaults/files/feeds/MYDIR/MYFILE.ogg).
+   *
    * @return
    *   A temporary file path to the downloaded resource referenced by the
    *   enclosure. Downloads resource if not downloaded yet. The file path is
@@ -179,12 +184,38 @@
         $filename = transliteration_clean_filename($filename);
       }
       $dest = file_destination(file_directory_temp() .'/'. $filename, FILE_EXISTS_RENAME);
-      if (ini_get('allow_url_fopen')) {
-        $this->file = copy($this->getValue(), $dest) ? $dest : 0;
+      
+      // File is uncopyable until we prove it is
+      $file_copyable = FALSE;
+      if (preg_match('@^((ftp|https?)://|/)@', $this->getValue()) && ini_get('allow_url_fopen')) {
+        // URLs are copyable if allow_url_fopen is enabled.
+        if (ini_get('allow_url_fopen')) {
+          $file = $this->getValue();
+          $file_copyable = TRUE;
+        }
+        else {
+          // Save the URL with getContent() since we can't simply copy it
+          $this->file = file_save_data($this->getContent(), $dest);
+        }
       }
       else {
-        $this->file = file_save_data($this->getContent(), $dest);
+        // The received value was not a URL so we'll check for a file in the
+        // files/feeds directory. We localize imported files to this directory
+        // for security purposes.
+        $file = file_directory_path() . '/feeds/' . $this->getValue();
+        if (!file_check_location($file, file_directory_path())) {
+          throw new Exception(t('Invalid file path.'));
+        }
+        if (!is_file($file)) {
+          throw new Exception(t('File %file not found.', array('%file' => $file)));
+        }
+        $file_copyable = TRUE; 
+      }
+
+      if ($file_copyable) {
+        $this->file = copy($file, $dest) ? $dest : 0;
       }
+
       if ($this->file === 0) {
         throw new Exception(t('Cannot write content to %dest', array('%dest' => $dest)));
       }