Index: t3lib/class.t3lib_tstemplate.php =================================================================== --- t3lib/class.t3lib_tstemplate.php (revision 8267) +++ t3lib/class.t3lib_tstemplate.php (working copy) @@ -1235,37 +1235,38 @@ } else $file=$newFile; } - // find - if (strpos($file, '/') !== false) { - // if the file is in the media/ folder but it doesn't exist, - // it is assumed that it's in the tslib folder - if (t3lib_div::isFirstPartOfStr($file, 'media/') && !is_file($this->getFileName_backPath . $file)) { - $file = t3lib_extMgm::siteRelPath('cms') . 'tslib/' . $file; - } - if (is_file($this->getFileName_backPath . $file)) { - $outFile = $file; - $fileInfo = t3lib_div::split_fileref($outFile); - $OK=0; + // if the file is in the media/ folder but it doesn't exist, + // it is assumed that it's in the tslib folder + if (t3lib_div::isFirstPartOfStr($file, 'media/') && !is_file($this->getFileName_backPath . $file)) { + $file = t3lib_extMgm::siteRelPath('cms') . 'tslib/' . $file; + } + if (is_file($this->getFileName_backPath . $file)) { + $outFile = $file; + $fileInfo = t3lib_div::split_fileref($outFile); + $OK=0; + if(in_array('/', $this->allowedPaths) && strpos($file, '/') === FALSE) { + $OK = 1; + } else { foreach ($this->allowedPaths as $val) { if (substr($fileInfo['path'], 0, strlen($val))==$val) { $OK=1; break; } } - if ($OK) { - $this->fileCache[$hash]=$outFile; - return $outFile; - } elseif ($this->tt_track) $GLOBALS['TT']->setTSlogMessage('"'.$file.'" was not located in the allowed paths: ('.implode(',',$this->allowedPaths).')',3); - } elseif ($this->tt_track) $GLOBALS['TT']->setTSlogMessage('"'.$this->getFileName_backPath.$file.'" is not a file (non-uploads/.. resource, did not exist).',3); - } else { // Here it is uploaded media: - $outFile = $this->extractFromResources($this->setup['resources'],$file); - if ($outFile) { - if (@is_file($this->uplPath.$outFile)) { - $this->fileCache[$hash] = $this->uplPath.$outFile; - return $this->uplPath.$outFile; - } elseif ($this->tt_track) $GLOBALS['TT']->setTSlogMessage('"'.$this->uplPath.$outFile.'" is not a file (did not exist).',3); - } elseif ($this->tt_track) $GLOBALS['TT']->setTSlogMessage('"'.$file.'" is not a file (uploads/.. resource).',3); - } + } + if ($OK) { + $this->fileCache[$hash]=$outFile; + return $outFile; + } elseif ($this->tt_track) $GLOBALS['TT']->setTSlogMessage('"'.$file.'" was not located in the allowed paths: ('.implode(',',$this->allowedPaths).')',3); + } elseif ($this->tt_track) $GLOBALS['TT']->setTSlogMessage('"'.$this->getFileName_backPath.$file.'" is not a file (non-uploads/.. resource, did not exist).',3); + // Here it is uploaded media: + $outFile = $this->extractFromResources($this->setup['resources'],$file); + if ($outFile) { + if (@is_file($this->uplPath.$outFile)) { + $this->fileCache[$hash] = $this->uplPath.$outFile; + return $this->uplPath.$outFile; + } elseif ($this->tt_track) $GLOBALS['TT']->setTSlogMessage('"'.$this->uplPath.$outFile.'" is not a file (did not exist).',3); + } elseif ($this->tt_track) $GLOBALS['TT']->setTSlogMessage('"'.$file.'" is not a file (uploads/.. resource).',3); } /**