zero-tolerance

diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php
index c4970a5564cfed3725650d6f20b6f7ea5919af8d..f7817068a2d7e38dad5914b8bbfa83d58fb09b52 100644 (file)
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -113,9 +113,9 @@ switch ($serendipity['GET']['adminAction']) {
     // First find out whether to fetch a file or accept an upload
     if ($serendipity['POST']['imageurl'] != '' && $serendipity['POST']['imageurl'] != 'http://') {
         if (!empty($serendipity['POST']['target_filename'])) {
-            $tfile   = trim($serendipity['POST']['target_filename']);
+            $tfile   = serendipityNormalizeFilename($serendipity['POST']['target_filename']);
         } else {
-            $tfile   = trim(basename($serendipity['POST']['imageurl']));
+            $tfile   = serendipityNormalizeFilename(basename($serendipity['POST']['imageurl']));
         }
 
         if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && preg_match('@\.(php[34]?|[ps]html?)$@i', $tfile)) {
@@ -123,7 +123,7 @@ switch ($serendipity['GET']['adminAction']) {
             break;
         }
 
-        $tfile = trim(serendipity_uploadSecure($tfile));
+        $tfile = serendipityNormalizeFilename(serendipity_uploadSecure($tfile));
         $serendipity['POST']['target_directory'] = serendipity_uploadSecure($serendipity['POST']['target_directory'], true);
         $target = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $serendipity['POST']['target_directory'] . $tfile;
 
@@ -166,9 +166,9 @@ switch ($serendipity['GET']['adminAction']) {
         }
     } else {
         if (!empty($serendipity['POST']['target_filename'])) {
-            $tfile   = trim($serendipity['POST']['target_filename']);
+            $tfile   = serendipityNormalizeFilename($serendipity['POST']['target_filename']);
         } else {
-            $tfile   = trim($_FILES['userfile']['name']);
+            $tfile   = serendipityNormalizeFilename($_FILES['userfile']['name']);
         }
 
         if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && preg_match('@\.(php[34]?|[ps]html?)$@i', $tfile)) {
@@ -176,7 +176,7 @@ switch ($serendipity['GET']['adminAction']) {
             break;
         }
 
-        $tfile = trim(serendipity_uploadSecure($tfile));
+        $tfile = serendipityNormalizeFilename(serendipity_uploadSecure($tfile));
         $serendipity['POST']['target_directory'] = serendipity_uploadSecure($serendipity['POST']['target_directory'], true);
         $target = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $serendipity['POST']['target_directory'] . $tfile;
 

diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index 222a111800beb653ca0c5f7f8a01dad3c3a42d48..3d38e9a498357e64f90f9e5379f82147e6c0f56c 100644 (file)
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -2,6 +2,15 @@
 # Copyright (c) 2003-2005, Jannis Hermanns (on behalf the Serendipity Developer Team)
 # All rights reserved.  See LICENSE file for licensing details
 
+/**
+* Normalize a filename
+**/
+function serendipityNormalizeFilename($in) {
+    $out = preg_replace('![^a-zA-Z0-9\._/-]!', '', $in);
+    return $out;
+}
+
+
 /**
 * Get a list of images
 **/