better input validation in files/index.php SC#307

diff --git a/files/index.php b/files/index.php
index 238dd729e31b60d23fe48c7ccfd6cfdae90375b0..ef3071069644c1f5af6cae393845704a80ff8c83 100644 (file)
--- a/files/index.php
+++ b/files/index.php
@@ -16,7 +16,7 @@
     $action  = optional_param('action', '', PARAM_ACTION);
     $name    = optional_param('name', '', PARAM_FILE);
     $oldname = optional_param('oldname', '', PARAM_FILE);
-    $choose  = optional_param('choose', '', PARAM_CLEAN);
+    $choose  = optional_param('choose', '', PARAM_FILE); //in fact it is always 'formname.inputname'
     $userfile= optional_param('userfile','',PARAM_FILE);
     $save    = optional_param('save', 0, PARAM_BOOL);
     $text    = optional_param('text', '', PARAM_RAW);