From 39b4638134316cc6b8ee8d03df1e130cbaf57437 Mon Sep 17 00:00:00 2001
From: steinm <steinm@577cc39b-cfd1-4aa2-8bc3-eda205cea05a>
Date: Fri, 8 Feb 2013 15:03:53 +0000
Subject: [PATCH] - make sure the drop box folder is used, even if the user has
 a login   name like '../user'

---
 views/bootstrap/class.DropFolderChooser.php | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/views/bootstrap/class.DropFolderChooser.php b/views/bootstrap/class.DropFolderChooser.php
index c02033c37..edf38028c 100644
--- a/views/bootstrap/class.DropFolderChooser.php
+++ b/views/bootstrap/class.DropFolderChooser.php
@@ -50,17 +50,22 @@ var targetName = document.<?php echo $form?>.dropfolderfile<?php print $form ?>;
 		$this->contentContainerStart();
 
 		$dir = $dropfolderdir.'/'.$user->getLogin();
-		if(is_dir($dir)) {
-			$d = dir($dir);
-			echo "<table>\n";
-			while (false !== ($entry = $d->read())) {
-				if($entry != '..' && $entry != '.') {
-					if(!is_dir($entry)) {
-						echo "<tr><td><span style=\"cursor: pointer;\" onClick=\"targetName.value = '".$entry."'; window.close();\">".$entry."</span></td><td align=\"right\">".LetoDMS_Core_File::format_filesize(filesize($dir.'/'.$entry))."</td></tr>\n";
+		/* Check if we are still looking in the configured directory and
+		 * not somewhere else, e.g. if the login was '../test'
+		 */
+		if(dirname($dir) == $dropfolderdir) {
+			if(is_dir($dir)) {
+				$d = dir($dir);
+				echo "<table>\n";
+				while (false !== ($entry = $d->read())) {
+					if($entry != '..' && $entry != '.') {
+						if(!is_dir($entry)) {
+							echo "<tr><td><span style=\"cursor: pointer;\" onClick=\"targetName.value = '".$entry."'; window.close();\">".$entry."</span></td><td align=\"right\">".LetoDMS_Core_File::format_filesize(filesize($dir.'/'.$entry))."</td></tr>\n";
+						}
 					}
 				}
+				echo "</table>\n";
 			}
-			echo "</table>\n";
 		}
 
 		$this->contentContainerEnd();