From 6c27d6eebffef49b4aad09f3ca5201ef06d77977 Mon Sep 17 00:00:00 2001
From: Lester Caine <lester@lsces.co.uk>
Date: Thu, 4 Jun 2026 12:04:32 +0100
Subject: admin_system: fix cache prune safety check to allow TEMP_PKG_PATH and
 STORAGE_PKG_PATH

The guard strpos($item['path'], BIT_ROOT_PATH) always failed for any cache
directory under TEMP_PKG_PATH (e.g. icons, modules, system cache) since
TEMP_PKG_PATH is outside the web root. None of those caches were ever
actually cleared. Extend the check to accept all three known safe roots.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 admin/admin_system.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/admin/admin_system.php b/admin/admin_system.php
index 31a1d53..2929aee 100755
--- a/admin/admin_system.php
+++ b/admin/admin_system.php
@@ -78,7 +78,8 @@ if( !empty( $_GET['prune'] ) ) {
 	foreach( $diskUsage as $key => $item ) {
 		if( $_GET['prune'] == $key || $_GET['prune'] == 'all' ) {
 			$dir = $item['path'].( !empty( $item['subdir'] ) ? '/'.$item['subdir'] : '' );
-			if( is_dir( $dir ) && strpos( $item['path'], BIT_ROOT_PATH ) === 0 ) {
+			$safeRoot = strpos( $item['path'], BIT_ROOT_PATH ) === 0 || strpos( $item['path'], TEMP_PKG_PATH ) === 0 || strpos( $item['path'], STORAGE_PKG_PATH ) === 0;
+			if( is_dir( $dir ) && $safeRoot ) {
 				if( KernelTools::unlink_r( $dir )) {
 					$reload = true;
 				} else {
-- 
cgit v1.3