From fde2198421ca7f5056dd391e949668588214ea02 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Sat, 12 Oct 2013 15:36:51 +0100
Subject: [PATCH] CRM-13572 - Upgrader - Display pre-upgrade message about OFC

----------------------------------------
* CRM-13572:
  http://issues.civicrm.org/jira/browse/CRM-13572
---
 CRM/Upgrade/Incremental/Legacy.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/CRM/Upgrade/Incremental/Legacy.php b/CRM/Upgrade/Incremental/Legacy.php
index e8e4cee8c4..5bd61ee3e6 100644
--- a/CRM/Upgrade/Incremental/Legacy.php
+++ b/CRM/Upgrade/Incremental/Legacy.php
@@ -90,6 +90,18 @@ SELECT  id
         $preUpgradeMessage .= '<br />' . ts('To continue using Google Checkout Payment Processor with latest version of CiviCRM, requires updating merchant account settings. Please refer "Set API callback URL and other settings" section of <a href="%1" target="_blank"><strong>Google Checkout Configuration</strong></a> doc.', array(1 => 'http://wiki.civicrm.org/confluence/x/zAJTAg'));
       }
     }
+
+    global $civicrm_root;
+    $ofcFile = "$civicrm_root/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php";
+    if (file_exists($ofcFile)) {
+      // http://issues.civicrm.org/jira/browse/CRM-13572
+      // Depending on how the code was upgraded, some sites may still have copies of old
+      // source files left behind. This is often a forgivable offense, but it's quite
+      // dangerous for CIVI-SA-2013-001.
+      $preUpgradeMessage .= '<br />' . ts('This system includes an outdated, insecure script (%1). Please delete it.', array(
+        1 => $ofcFile
+      ));
+    }
   }
 
   static function checkMessageTemplate(&$template, &$message, $latestVer, $currentVer) {
-- 
2.25.1