Backend uploads require upload directory within JPATH_ROOT

[dr236]

(Not sure if a bug.) It looks like jd's "Upload Files" via the backend requires that the upload directory lives within JPATH_ROOT, due to the call
  $targetDirCleaned  = JPath::check($targetDirWithSep);
within administrator/components/com_jdownloads/controllers/uploads.php:upload.

But this isn't checked for when the upload directory is configured in jd's "Upload directory path". Also the "auto discovery" of new files manually uploaded to the jdownloads upload area, and the front-end upload procedure do not check for this.

Could I suggest this check isn't done, as there are good reasons to have the upload directory outside of JPATH_ROOT.

Thanks,
David

[ColinM]

David,
Think you are right but need to check with Arno.  JPath::check($targetDirWithSep);  will clean up the path if possible and also check that the path is in the scope of the Joomla root.

Using JPath::clean   just cleans up the directory string if possible.  So maybe

  $targetDirCleaned  = JPath::clean($targetDirWithSep);
would be OK.

But maybe there is a specific reason for the 'check' function because of the use of Plupload.
Colin