Here’s a more complete patch:
https://gist.github.com/3899757
Lumpysimon – I would highly recommend reverting your ‘dir’ query variable patch. The patch would introduce a terrible vulnerability to your site. One of the first things timthumb does when it starts is to clean the cache. It sounds like you are allowing the cache directory to be configurable via your ‘dir’ query parm. Depending on how your file permissions are set up, someone could potentially cause your entire site (or worse) to be deleted by passing something like ‘dir=../../../’
I’m not sure what the intention is with putting the timthumb cache in the uploads folder, but as far as I can tell, it’s unnecessary. Taking out the FILE_CACHE_DIRECTORY define from timthumb-config.php will cause the default to be used (e.g. plugins/user-avatar/cache/) The files in the cache folder don’t even need to be publicly exposed since they are always processed by the timthumb code before they are returned anyway. This was part of the recent timthumb exploit. PHP code was being uploaded as “image” files and stored in the timthumb cache where it could be executed simply by visiting the URL. I’ve also taken an extra step by adding an .htaccess to the cache/ dir with “Deny From All” in it.
