From e97ccb469552a7c50e499ca556f418ec809aa912 Mon Sep 17 00:00:00 2001
From: garvinhicking <garvinhicking>
Date: Wed, 11 May 2005 09:56:00 +0000
Subject: [PATCH] Actually this makes more sense, also backport the dotfile
 patch from trunk to branch

---
 include/admin/images.inc.php     | 4 ++--
 include/functions_images.inc.php | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php
index 3575124..341318a 100644
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -60,7 +60,7 @@ switch ($serendipity['GET']['adminAction']) {
             return;
         }
 
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && !serendipity_isSafeFile($serendipity['GET']['newname'])) {
+        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && serendipity_isActiveFile($serendipity['GET']['newname'])) {
             printf(ERROR_FILE_FORBIDDEN, $serendipity['GET']['newname']);
             return;
         }
@@ -123,7 +123,7 @@ switch ($serendipity['GET']['adminAction']) {
             $tfile   = serendipityNormalizeFilename(basename($serendipity['POST']['imageurl']));
         }
 
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && !serendipity_isSafeFile($tfile)) {
+        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && serendipity_isActiveFile($tfile)) {
             printf(ERROR_FILE_FORBIDDEN, $tfile);
             break;
         }
diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index d069ecb..fdb7506 100644
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -10,7 +10,11 @@ function serendipityNormalizeFilename($in) {
     return $out;
 }
 
-function serendipity_isSafeFile($file) {
+function serendipity_isActiveFile($file) {
+    if (preg_match('@^\.@', $file)) {
+        return true;
+    }
+
     return preg_match('@\.(php[34]?|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
 }
 
-- 
2.39.5