From e536c4d49e1044214b5b4ceae8fc06bf61107ce1 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Fri, 22 Feb 2019 00:24:49 -0800
Subject: [PATCH] CRM_Core_Page_File - Only delivers directly under the
 customFileUploadDir

---
 CRM/Core/Page/File.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CRM/Core/Page/File.php b/CRM/Core/Page/File.php
index b13dd9d66a..04c5a28d74 100644
--- a/CRM/Core/Page/File.php
+++ b/CRM/Core/Page/File.php
@@ -59,6 +59,9 @@ class CRM_Core_Page_File extends CRM_Core_Page {
       list($path, $mimeType) = CRM_Core_BAO_File::path($fileId, $entityId);
     }
     else {
+      if ($fileName !== basename($fileName)) {
+        throw new CRM_Core_Exception("Malformed filename");
+      }
       $mimeType = '';
       $path = CRM_Core_Config::singleton()->customFileUploadDir . $fileName;
     }
-- 
2.25.1