createthumb.php security / improvement

[rhaamo]

I have in the user home a file like "watermark.png", I can generate a thumbnail by using an URL like :

/createthumb.php?filename=../watermark.png&size=320

Even something like this works:

/createthumb.php?filename=../../../usr/share/pixmaps/debian-logo.png&size=320

Even if it would not render anything other than an image type this seems to be a security issue.