Merge branch '0.9.x' of git@gitorious.org:statusnet/mainline into 0.9.x

author: Sarven Capadisli <csarven@status.net> 2010-02-04 16:56:34 +0000
committer: Sarven Capadisli <csarven@status.net> 2010-02-04 16:56:34 +0000
commit: 7ebd13fa69d2a5dac8bc59799281d3d6e017eeae (patch)
tree: 605267bbe7c902d7a71766cdeb523bfbb266a0f9 /classes/File.php
parent: 339eb1adadc7f3495ad31ef0a5cf20cdca47ce1f (diff)
parent: 9e940445f1ab1ec53f3bad14a1a94dc2064d0ee6 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/classes/File.php b/classes/File.php
index 34e4632a8..307fdb686 100644
--- a/classes/File.php
+++ b/classes/File.php
@@ -176,8 +176,22 @@ class File extends Memcached_DataObject
         return "$nickname-$datestamp-$random.$ext";
     }
 
+    /**
+     * Validation for as-saved base filenames
+     */
+    static function validFilename($filename)
+    {
+        return preg_match('/^[A-Za-z0-9._-]+$/', $filename);
+    }
+
+    /**
+     * @throws ClientException on invalid filename
+     */
     static function path($filename)
     {
+        if (!self::validFilename($filename)) {
+            throw new ClientException("Invalid filename");
+        }
         $dir = common_config('attachments', 'dir');
 
         if ($dir[strlen($dir)-1] != '/') {
@@ -189,6 +203,9 @@ class File extends Memcached_DataObject
 
     static function url($filename)
     {
+        if (!self::validFilename($filename)) {
+            throw new ClientException("Invalid filename");
+        }
         if(common_config('site','private')) {
 
             return common_local_url('getfile',
author	Sarven Capadisli <csarven@status.net>	2010-02-04 16:56:34 +0000
committer	Sarven Capadisli <csarven@status.net>	2010-02-04 16:56:34 +0000
commit	7ebd13fa69d2a5dac8bc59799281d3d6e017eeae (patch)
tree	605267bbe7c902d7a71766cdeb523bfbb266a0f9 /classes/File.php
parent	339eb1adadc7f3495ad31ef0a5cf20cdca47ce1f (diff)
parent	9e940445f1ab1ec53f3bad14a1a94dc2064d0ee6 (diff)