1 files changed, 42 insertions, 3 deletions

diff --git a/classes/File.php b/classes/File.php
index 34e4632a8..4ecd3b959 100644
--- a/classes/File.php
+++ b/classes/File.php
@@ -169,15 +169,33 @@ class File extends Memcached_DataObject
     {
         require_once 'MIME/Type/Extension.php';
         $mte = new MIME_Type_Extension();
-        $ext = $mte->getExtension($mimetype);
+        try {
+            $ext = $mte->getExtension($mimetype);
+        } catch ( Exception $e) {
+            $ext = strtolower(preg_replace('/\W/', '', $mimetype));
+        }
         $nickname = $profile->nickname;
         $datestamp = strftime('%Y%m%dT%H%M%S', time());
         $random = strtolower(common_confirmation_code(32));
         return "$nickname-$datestamp-$random.$ext";
     }
 
+    /**
+     * Validation for as-saved base filenames
+     */
+    static function validFilename($filename)
+    {
+        return preg_match('/^[A-Za-z0-9._-]+$/', $filename);
+    }
+
+    /**
+     * @throws ClientException on invalid filename
+     */
     static function path($filename)
     {
+        if (!self::validFilename($filename)) {
+            throw new ClientException("Invalid filename");
+        }
         $dir = common_config('attachments', 'dir');
 
         if ($dir[strlen($dir)-1] != '/') {
@@ -189,6 +207,9 @@ class File extends Memcached_DataObject
 
     static function url($filename)
     {
+        if (!self::validFilename($filename)) {
+            throw new ClientException("Invalid filename");
+        }
         if(common_config('site','private')) {
 
             return common_local_url('getfile',
@@ -211,9 +232,20 @@ class File extends Memcached_DataObject
                 $server = common_config('site', 'server');
             }
 
-            // XXX: protocol
+            $ssl = common_config('attachments', 'ssl');
+
+            if (is_null($ssl)) { // null -> guess
+                if (common_config('site', 'ssl') == 'always' &&
+                    !common_config('attachments', 'server')) {
+                    $ssl = true;
+                } else {
+                    $ssl = false;
+                }
+            }
+
+            $protocol = ($ssl) ? 'https' : 'http';
 
-            return 'http://'.$server.$path.$filename;
+            return $protocol.'://'.$server.$path.$filename;
         }
     }
 
@@ -258,5 +290,12 @@ class File extends Memcached_DataObject
         }
         return $enclosure;
     }
+
+    // quick back-compat hack, since there's still code using this
+    function isEnclosure()
+    {
+        $enclosure = $this->getEnclosure();
+        return !empty($enclosure);
+    }
 }