diff options
| author | Evan Prodromou <evan@status.net> | 2010-09-02 22:56:18 -0400 |
|---|---|---|
| committer | Evan Prodromou <evan@status.net> | 2010-09-02 22:56:18 -0400 |
| commit | 6c14235d6c3359a6c9012ec49077f8defe117779 (patch) | |
| tree | a2c9abccb56d4c017a49ac27634d075dd54d57be /lib/themeuploader.php | |
| parent | 388495f6b1fe5de9af7fc6a01b12da1a5c36093e (diff) | |
| parent | 1bfbe9badfbe3e79f82e7216d1401f05a2750677 (diff) | |
Merge branch '0.9.x' of gitorious.org:statusnet/mainline into 0.9.x
Diffstat (limited to 'lib/themeuploader.php')
| -rw-r--r-- | lib/themeuploader.php | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/lib/themeuploader.php b/lib/themeuploader.php index abf0658d3..5a48e884e 100644 --- a/lib/themeuploader.php +++ b/lib/themeuploader.php @@ -192,37 +192,52 @@ class ThemeUploader if (in_array(strtolower($ext), $skip)) { return true; } + if ($filename == '' || substr($filename, 0, 1) == '.') { + // Skip Unix-style hidden files + return true; + } + if ($filename == '__MACOSX') { + // Skip awful metadata files Mac OS X slips in for you. + // Thanks Apple! + return true; + } return false; } protected function validateFile($filename, $ext) { $this->validateFileOrFolder($filename); - $this->validateExtension($ext); + $this->validateExtension($filename, $ext); // @fixme validate content } protected function validateFileOrFolder($name) { if (!preg_match('/^[a-z0-9_\.-]+$/i', $name)) { + common_log(LOG_ERR, "Bad theme filename: $name"); $msg = _("Theme contains invalid file or folder name. " . "Stick with ASCII letters, digits, underscore, and minus sign."); throw new ClientException($msg); } if (preg_match('/\.(php|cgi|asp|aspx|js|vb)\w/i', $name)) { + common_log(LOG_ERR, "Unsafe theme filename: $name"); $msg = _("Theme contains unsafe file extension names; may be unsafe."); throw new ClientException($msg); } return true; } - protected function validateExtension($ext) + protected function validateExtension($base, $ext) { $allowed = array('css', // CSS may need validation 'png', 'gif', 'jpg', 'jpeg', 'svg', // SVG images/fonts may need validation 'ttf', 'eot', 'woff'); if (!in_array(strtolower($ext), $allowed)) { + if ($ext == 'ini' && $base == 'theme') { + // theme.ini exception + return true; + } $msg = sprintf(_("Theme contains file of type '.%s', " . "which is not allowed."), $ext); |