* uninstall: do not allow directories outside BASE

* uninstall: do not allow absolute paths

system/libs/plugins.php

@@ -236,16 +236,32 @@ class Plugins {
 				else {
 					$success = true;
 					foreach($plugin_info['uninstall'] as $file) {
-						$file = BASE . $file;
-						if(!deleteDirectory($file)) {
+						if(strpos($file, '/') === 0) {
 							$success = false;
+							self::$error = "You cannot use absolute paths (starting with slash - '/'): " . $file;
+							break;
+						}
+						
+						$file = BASE . $file;
+						if(!is_sub_dir($file, BASE) || realpath(dirname($file)) != dirname($file)) {
+							$success = false;
+							self::$error = "You don't have rights to delete: " . $file;
+							break;
 						}
 					}
-
+					
+					if($success) {
+						foreach($plugin_info['uninstall'] as $file) {
+							if(!deleteDirectory(BASE . $file)) {
+								self::$warnings[] = 'Cannot delete: ' . $$file;
+							}
+						}
+					}
+						
 					if (isset($plugin_info['hooks'])) {
 						foreach ($plugin_info['hooks'] as $_name => $info) {
 							if (defined('HOOK_'. $info['type'])) {
-								$hook = constant('HOOK_'. $info['type']);
+								//$hook = constant('HOOK_'. $info['type']);
 								$query = $db->query('SELECT `id` FROM `' . TABLE_PREFIX . 'hooks` WHERE `name` = ' . $db->quote($_name) . ';');
 								if ($query->rowCount() == 1) { // found something
 									$query = $query->fetch();
@@ -263,9 +279,6 @@ class Plugins {
 
 						return true;
 					}
-					else {
-						self::$error = error_get_last();
-					}
 				}
 			}
 		}

system/pages/admin/plugins.php

@@ -22,7 +22,7 @@ if(isset($_REQUEST['uninstall'])){
 		success('Successfully uninstalled plugin ' . $uninstall);
 	}
 	else {
-		error('Error while uninstalling plugin ' . $plugin_name . ': ' . Plugins::getError());
+		error('Error while uninstalling plugin ' . $uninstall . ': ' . Plugins::getError());
 	}
 }
 else if(isset($_FILES["plugin"]["name"]))