From 6159edcebbcb1c230113e18788a676035979a4c8 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Mon, 1 Feb 2010 08:48:31 -0800
Subject: Improve name validation checks on local File references

---
 actions/getfile.php |  2 +-
 classes/File.php    | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/actions/getfile.php b/actions/getfile.php
index cd327e410..9cbe8e1d9 100644
--- a/actions/getfile.php
+++ b/actions/getfile.php
@@ -71,7 +71,7 @@ class GetfileAction extends Action
         $filename = $this->trimmed('filename');
         $path = null;
 
-        if ($filename) {
+        if ($filename && File::validFilename($filename)) {
             $path = File::path($filename);
         }
 
diff --git a/classes/File.php b/classes/File.php
index c527c4ffe..6dd9e0c06 100644
--- a/classes/File.php
+++ b/classes/File.php
@@ -176,8 +176,22 @@ class File extends Memcached_DataObject
         return "$nickname-$datestamp-$random.$ext";
     }
 
+    /**
+     * Validation for as-saved base filenames
+     */
+    static function validFilename($filename)
+    {
+        return preg_match('^/[A-Za-z0-9._-]+$/', $filename);
+    }
+
+    /**
+     * @throws ClientException on invalid filename
+     */
     static function path($filename)
     {
+        if (!self::validFilename($filename)) {
+            throw new ClientException("Invalid filename");
+        }
         $dir = common_config('attachments', 'dir');
 
         if ($dir[strlen($dir)-1] != '/') {
@@ -189,6 +203,9 @@ class File extends Memcached_DataObject
 
     static function url($filename)
     {
+        if (!self::validFilename($filename)) {
+            throw new ClientException("Invalid filename");
+        }
         if(common_config('site','private')) {
 
             return common_local_url('getfile',
-- 
cgit v1.2.3-54-g00ecf


From 4f6052d8d8bd3d64d395e7849a31183371040eb8 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Tue, 2 Feb 2010 05:53:05 -0800
Subject: Apply xopher's fix to add 'sitetype' parameter to
 setup_status_network.sh, exposed to the email

---
 scripts/setup_status_network.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/setup_status_network.sh b/scripts/setup_status_network.sh
index 4ad808011..bacf3c3e7 100755
--- a/scripts/setup_status_network.sh
+++ b/scripts/setup_status_network.sh
@@ -13,6 +13,11 @@ export sitename="$2"
 export tags="$3"
 export email="$4"
 export fullname="$5"
+export sitetype="$6"
+
+if [ "$sitetype" == '' ]; then
+    sitetype='single-user'
+fi
 
 # Fixme: if this is changed later we need to update profile URLs
 # for the created user.
@@ -71,6 +76,7 @@ then
       sed "s/\$nickname/$nickname/" | \
       sed "s/\$sitename/$sitename/" | \
       sed "s/\$userpass/$userpass/" | \
+      sed "s/\$sitetype/$sitetype/" | \
       php $PHPBASE/scripts/sendemail.php \
         -s"$server" \
         -n"$nickname" \
-- 
cgit v1.2.3-54-g00ecf


From 51c3606715573d8cea3c79ff7bc989a4ba86acc5 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Tue, 2 Feb 2010 09:30:15 -0800
Subject: Fix regression breaking file attachments. This is what I get for
 rushing fixes and not properly testing them. :P

---
 classes/File.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/File.php b/classes/File.php
index 6dd9e0c06..ee418a802 100644
--- a/classes/File.php
+++ b/classes/File.php
@@ -181,7 +181,7 @@ class File extends Memcached_DataObject
      */
     static function validFilename($filename)
     {
-        return preg_match('^/[A-Za-z0-9._-]+$/', $filename);
+        return preg_match('/^[A-Za-z0-9._-]+$/', $filename);
     }
 
     /**
-- 
cgit v1.2.3-54-g00ecf