CRM-12926-improvement : some improvement after reading totten's comment on PR #1362

diff --git a/CRM/Report/Form.php b/CRM/Report/Form.php
index a6b4b9c4950b2614f47bd40ace87f88c0c5f3365..23b2bd6f424955a5df7eb21099cf01472502b6c0 100644 (file)
--- a/CRM/Report/Form.php
+++ b/CRM/Report/Form.php
@@ -3365,8 +3365,8 @@ LEFT JOIN civicrm_contact {$field['alias']} ON {$field['alias']}.id = {$this->_a
   /* function used for showing charts on print screen */
   static function uploadChartImage() {
     // upload strictly for '.png' images
-    $name = CRM_Utils_Request::retrieve('name', 'String', CRM_Core_DAO::$_nullObject, FALSE, NULL, 'GET');
-    if (preg_match('/\.png$/', trim($name))) {
+    $name = trim(basename(CRM_Utils_Request::retrieve('name', 'String', CRM_Core_DAO::$_nullObject, FALSE, NULL, 'GET')));
+    if (preg_match('/\.png$/', $name)) {
       //
       // POST data is usually string data, but we are passing a RAW .png
       // so PHP is a bit confused and $_POST is empty. But it has saved
@@ -3382,7 +3382,7 @@ LEFT JOIN civicrm_contact {$field['alias']} ON {$field['alias']}.id = {$this->_a
       }
 
       // full path to the saved image including filename
-      $destination = $defaultPath . basename($name);
+      $destination = $defaultPath . $name;
 
       //write and save
       $jfh = fopen($destination, 'w') or die("can't open file");
@@ -3391,5 +3391,4 @@ LEFT JOIN civicrm_contact {$field['alias']} ON {$field['alias']}.id = {$this->_a
       CRM_Utils_System::civiExit();
     }
   }
-}
-
+}
\ No newline at end of file