From 1b7e83e11ee27542c21104bf35e390f8872611be Mon Sep 17 00:00:00 2001
From: Aaron van Geffen <aaron@aaronweb.net>
Date: Sun, 1 Mar 2020 17:07:10 +0100
Subject: [PATCH] Let `tar` change working directory to assets directory.

This prevents edge cases where files are not found, while ensuring
the archive does not contain the system directory hierarchy.
---
 controllers/Download.php | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/controllers/Download.php b/controllers/Download.php
index b22b92b..8dfaa9a 100644
--- a/controllers/Download.php
+++ b/controllers/Download.php
@@ -29,22 +29,16 @@ class Download
 		exit;
 	}
 
-	private function exportAlbum($album)
+	private function exportAlbum(Tag $album)
 	{
 		$files = [];
 
 		$album_ids = array_merge([$album->id_tag], $this->getChildAlbumIds($album->id_tag));
 		foreach($album_ids as $album_id)
 		{
-			$iterator = AssetIterator::getByOptions(
-				[
-					'id_tag' => $album_id
-				]
-			);
-			while($asset = $iterator->Next())
-			{
-				$files[] = join(DIRECTORY_SEPARATOR, ['.', $asset->getSubdir(), $asset->getFilename()]);
-			}
+			$iterator = AssetIterator::getByOptions(['id_tag' => $album_id]);
+			while ($asset = $iterator->next())
+				$files[] = join(DIRECTORY_SEPARATOR, [$asset->getSubdir(), $asset->getFilename()]);
 		}
 
 		$descriptorspec = [
@@ -52,7 +46,7 @@ class Download
 			1 => ['pipe', 'w'],
 		];
 
-		$command = 'tar --null -cf - -T -';
+		$command = 'tar -cf - -C ' . escapeshellarg(ASSETSDIR) . ' --null -T -';
 
 		$proc = proc_open($command, $descriptorspec, $pipes, ASSETSDIR);