? 653412-3_expiry.patch
? 755556-6_relative_files.patch
? FeedsDataProcessor.ExpireFix.patch
? FeedsParser.inc-755556.patch
? libraries/PuSHSubscriber
? libraries/simplepie.inc
Index: plugins/FeedsParser.inc
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/feeds/plugins/FeedsParser.inc,v
retrieving revision 1.12
diff -u -p -r1.12 FeedsParser.inc
--- plugins/FeedsParser.inc	29 Mar 2010 02:21:37 -0000	1.12
+++ plugins/FeedsParser.inc	28 Apr 2010 23:29:39 -0000
@@ -154,6 +154,11 @@ class FeedsEnclosure extends FeedsElemen
   }
 
   /**
+   * Return the path to a file that contains the enclosed content (e. g. an mp3
+   * file). If the enclosure contains a relative path it assumes that it is
+   * relative to the site's files directory under feeds/ (e. g.
+   * sites/defaults/files/feeds/MYDIR/MYFILE.ogg).
+   *
    * @return
    *   The file path to the downloaded resource referenced by the enclosure.
    *   Downloads resource if not downloaded yet.
@@ -163,15 +168,35 @@ class FeedsEnclosure extends FeedsElemen
    */
   public function getFile() {
     if(!isset($this->file)) {
-      $dest = file_destination(file_directory_temp() .'/'. get_class($this) .'-'. basename($this->getValue()), FILE_EXISTS_RENAME);
-      if (ini_get('allow_url_fopen')) {
-        $this->file = copy($this->getValue(), $dest) ? $dest : 0;
+      // If file path is local and not absolute, assume that it points to a
+      // site's files directory under feeds/.
+      if (!preg_match('@^((ftp|https?)://|/)@', $this->getValue())) {
+        $file = file_directory_path() . '/feeds/' . $this->getValue();
+        if (!file_check_location($file, file_directory_path())) {
+          throw new Exception(t('Invalid file path.'));
+        }
+        if (!is_file($file)) {
+          throw new Exception(t('File %file not found.', array('%file' => $file)));
+        }
+        $this->file = $file;
       }
       else {
-        $this->file = file_save_data($this->getContent(), $dest);
-      }
-      if ($this->file === 0) {
-        throw new Exception(t('Cannot write content to %dest', array('%dest' => $dest)));
+        $file = file_destination(file_directory_temp() .'/'. get_class($this) .'-'. basename($this->getValue()), FILE_EXISTS_RENAME);
+        if (!file_check_location($file, file_directory_path())) {
+          throw new Exception(t('Invalid file path.'));
+        }
+        if (is_file($this->getValue()) && !file_check_location($this->getValue(), file_directory_path())) {
+          throw new Exception(t('Invalid file path.'));
+        }
+        if (ini_get('allow_url_fopen')) {
+          $this->file = copy($this->getValue(), $file) ? $file : 0;
+        }
+        else {
+          $this->file = file_save_data($this->getContent(), $file);
+        }
+        if ($this->file === 0) {
+          throw new Exception(t('Cannot write content to %file', array('%file' => $file)));
+        }
       }
     }
     return $this->file;