[php-blog-cvs] serendipity NEWS,1.113,1.114 serendipity_admin_images.inc.php,1.21,1.22

[Garvin H. <gar...@us...>]

Update of /cvsroot/php-blog/serendipity
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv12799

Modified Files:
	NEWS serendipity_admin_images.inc.php 
Log Message:
image upload fix


Index: NEWS
===================================================================
RCS file: /cvsroot/php-blog/serendipity/NEWS,v
retrieving revision 1.113
retrieving revision 1.114
diff -u -d -r1.113 -r1.114
--- NEWS	26 Apr 2004 10:33:20 -0000	1.113
+++ NEWS	26 Apr 2004 10:56:23 -0000	1.114
@@ -3,6 +3,9 @@
 Version 0.6.1 ()
 ------------------------------------------------------------------------
 
+    * Image upload now strips all characters not suggested for filename
+      use (garvinhicking)
+
     * Categories can now have a fixed image which is embedded for
       every article. Can be styled via CSS (.serendipity_entryIcon).
       Integrated with s9y image manager.

Index: serendipity_admin_images.inc.php
===================================================================
RCS file: /cvsroot/php-blog/serendipity/serendipity_admin_images.inc.php,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -d -r1.21 -r1.22
--- serendipity_admin_images.inc.php	4 Apr 2004 16:24:46 -0000	1.21
+++ serendipity_admin_images.inc.php	26 Apr 2004 10:56:23 -0000	1.22
@@ -68,7 +68,7 @@
         }
 
         $newfile = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $serendipity['GET']['newname'] . '.' . $file['extension'];
-        $oldfile = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $file['name'] . '.'. $file['extension']; 
+        $oldfile = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $file['name'] . '.'. $file['extension'];
         if ($serendipity['GET']['newname'] != '' && file_exists($oldfile) && !file_exists($newfile)) {
             // Rename file
             rename($oldfile, $newfile);
@@ -114,7 +114,8 @@
         } else {
             $tfile   = basename($serendipity['POST']['imageurl']);
         }
-        
+
+        $tfile  = preg_replace('@[^0-9a-z\._/-]@i', '', $tfile);
         $target = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $tfile;
 
         if (file_exists($target)) {
@@ -141,7 +142,8 @@
         } else {
             $tfile   = $_FILES['userfile']['name'];
         }
-        
+
+        $tfile  = preg_replace('@[^0-9a-z\._/-]@i', '', $tfile);
         $target = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $tfile;
 
         if (file_exists($target)) {
@@ -173,7 +175,7 @@
         document.getElementById(field).value = value.replace(re, "$1");
     }
     </script>
-    
+
     <form action="?" method="POST" id="uploadform" enctype="multipart/form-data">
         <div>
             <input type="hidden" name="MAX_FILE_SIZE"            value="3000000" />