issue #1073 prevents from making uploaded file executable

* for the name of the file in buffer directory, do not use the name given by the user, but the md5 of the name without extension
* function add_uploaded_file deletes uploaded file if not expected

admin/include/functions_upload.inc.php

@@ -237,11 +237,13 @@ SELECT
       }
       else
       {
+        unlink($source_filepath);
         die('unexpected file type');
       }
     }
     else
     {
+      unlink($source_filepath);
       die('forbidden file type');
     }
 

include/ws_functions/pwg.images.php

@@ -1348,6 +1348,10 @@ function ws_images_upload($params, $service)
     $fileName = uniqid("file_");
   }
 
+  // change the name of the file in the buffer to avoid any unexpected
+  // extension. Function add_uploaded_file will eventually clean the mess.
+  $fileName = md5($fileName);
+
   $filePath = $upload_dir.DIRECTORY_SEPARATOR.$fileName;
 
   // Chunking might be enabled