1 files changed, 17 insertions, 2 deletions

diff --git a/lib/themeuploader.php b/lib/themeuploader.php
index abf0658d3..5a48e884e 100644
--- a/lib/themeuploader.php
+++ b/lib/themeuploader.php
@@ -192,37 +192,52 @@ class ThemeUploader
         if (in_array(strtolower($ext), $skip)) {
             return true;
         }
+        if ($filename == '' || substr($filename, 0, 1) == '.') {
+            // Skip Unix-style hidden files
+            return true;
+        }
+        if ($filename == '__MACOSX') {
+            // Skip awful metadata files Mac OS X slips in for you.
+            // Thanks Apple!
+            return true;
+        }
         return false;
     }
 
     protected function validateFile($filename, $ext)
     {
         $this->validateFileOrFolder($filename);
-        $this->validateExtension($ext);
+        $this->validateExtension($filename, $ext);
         // @fixme validate content
     }
 
     protected function validateFileOrFolder($name)
     {
         if (!preg_match('/^[a-z0-9_\.-]+$/i', $name)) {
+            common_log(LOG_ERR, "Bad theme filename: $name");
             $msg = _("Theme contains invalid file or folder name. " .
                      "Stick with ASCII letters, digits, underscore, and minus sign.");
             throw new ClientException($msg);
         }
         if (preg_match('/\.(php|cgi|asp|aspx|js|vb)\w/i', $name)) {
+            common_log(LOG_ERR, "Unsafe theme filename: $name");
             $msg = _("Theme contains unsafe file extension names; may be unsafe.");
             throw new ClientException($msg);
         }
         return true;
     }
 
-    protected function validateExtension($ext)
+    protected function validateExtension($base, $ext)
     {
         $allowed = array('css', // CSS may need validation
                          'png', 'gif', 'jpg', 'jpeg',
                          'svg', // SVG images/fonts may need validation
                          'ttf', 'eot', 'woff');
         if (!in_array(strtolower($ext), $allowed)) {
+            if ($ext == 'ini' && $base == 'theme') {
+                // theme.ini exception
+                return true;
+            }
             $msg = sprintf(_("Theme contains file of type '.%s', " .
                              "which is not allowed."),
                            $ext);