Actually this makes more sense, also backport the dotfile patch from trunk to branch

diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php
index 86166a20d3e37a37f4df31622bfd08e0254db49b..5903746b13ff1be04579c9b5b7c83def6751e9e7 100644 (file)
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -60,7 +60,7 @@ switch ($serendipity['GET']['adminAction']) {
             return;
         }
 
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && !serendipity_isSafeFile($serendipity['GET']['newname'])) {
+        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && serendipity_isActiveFile($serendipity['GET']['newname'])) {
             printf(ERROR_FILE_FORBIDDEN, $serendipity['GET']['newname']);
             return;
         }
@@ -130,7 +130,7 @@ switch ($serendipity['GET']['adminAction']) {
             $tindex  = 1;
         }
 
-        if (preg_match('@^\.@', $tfile) || ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && (preg_match('@\.(php[34]?|[ps]html?)$@i', $tfile)))) {
+        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && serendipity_isActiveFile($tfile)) {
             printf(ERROR_FILE_FORBIDDEN, $tfile);
             break;
         }

diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index d069ecb776fb84380d0f2a10151bed60e56c618c..fdb75065bb3f264c6e42d6b561d8868f40c974a2 100644 (file)
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -10,7 +10,11 @@ function serendipityNormalizeFilename($in) {
     return $out;
 }
 
-function serendipity_isSafeFile($file) {
+function serendipity_isActiveFile($file) {
+    if (preg_match('@^\.@', $file)) {
+        return true;
+    }
+
     return preg_match('@\.(php[34]?|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
 }