bug 904 fixed: an index.htm is created in directories created by

pwg.images.add web API method, only directories that contains pictures.


git-svn-id: http://piwigo.org/svn/branches/2.0@2916 68402e56-0260-453c-a942-63ccdbb3a9ee

2 files changed, 20 insertions, 0 deletions

diff --git a/include/functions.inc.php b/include/functions.inc.php
index 093f207e9..513054ab9 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1540,4 +1540,18 @@ function convert_charset($str, $source_charset, $dest_charset)
   }
   return $str; //???
 }
+
+/**
+ * makes sure a index.htm protects the directory from browser file listing
+ *
+ * @param string dir directory
+ */
+function secure_directory($dir)
+{
+  $file = $dir.'/index.htm';
+  if (!file_exists($file))
+  {
+    @file_put_contents($file, 'Not allowed!');
+  }
+}
 ?>
\ No newline at end of file
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index 24170ec47..2e96370e1 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -951,6 +951,8 @@ SELECT
     }
   }
 
+  secure_directory($upload_dir);
+
   // compute file path
   $date_string = preg_replace('/[^\d]/', '', $dbnow);
   $random_string = substr($params['file_sum'], 0, 8);
@@ -994,6 +996,8 @@ SELECT
     }
   }
 
+  secure_directory($thumbnail_dir);
+
   // thumbnail path, the filename may use a prefix and the extension is
   // always "jpg" (no matter what the real file format is)
   $thumbnail_path = sprintf(
@@ -1044,6 +1048,8 @@ SELECT
       }
     }
     
+    secure_directory($high_dir);
+    
     // high resolution path, same name as web size file
     $high_path = sprintf(
       '%s/%s.%s',