From 4748ac2c4ff8c1477dc071ea12c57817834aee12 Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Sat, 11 Oct 2008 02:58:40 +0000
Subject: [PATCH] #319328: SA-2008-060 (#318706): File upload access bypass.

---
 modules/upload/upload.module | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/upload/upload.module b/modules/upload/upload.module
index 0c8e792275eb..4fceaa6ab3eb 100644
--- a/modules/upload/upload.module
+++ b/modules/upload/upload.module
@@ -184,7 +184,7 @@ function upload_node_form_submit($form, &$form_state) {
   );
 
   // Save new file uploads.
-  if (($user->uid != 1 || user_access('upload files')) && ($file = file_save_upload('upload', $validators, file_directory_path()))) {
+  if (user_access('upload files') && ($file = file_save_upload('upload', $validators, file_directory_path()))) {
     $file->list = variable_get('upload_list_default', 1);
     $file->description = $file->filename;
     $file->weight = 0;
-- 
GitLab