From 97c1d3f81aa6c0aba421e856b574d5867e8748ee Mon Sep 17 00:00:00 2001
From: rurban <rurban@96ab9672-09ca-45d6-a79d-3d69d39ca109>
Date: Sun, 8 Apr 2007 12:43:45 +0000
Subject: [PATCH] Important security fix! Disallow files like "deface.php.3"
 also. Those are actually in the wild!

git-svn-id: svn://svn.code.sf.net/p/phpwiki/code/trunk@5655 96ab9672-09ca-45d6-a79d-3d69d39ca109
---
 lib/plugin/UpLoad.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/plugin/UpLoad.php b/lib/plugin/UpLoad.php
index 1c71c4f0a..3398b1dc9 100644
--- a/lib/plugin/UpLoad.php
+++ b/lib/plugin/UpLoad.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: UpLoad.php,v 1.22 2007-02-17 14:16:56 rurban Exp $');
+rcs_id('$Id: UpLoad.php,v 1.23 2007-04-08 12:43:45 rurban Exp $');
 /*
  Copyright 2003,2004,2007 $ThePhpWikiProgrammingTeam
 
@@ -144,7 +144,7 @@ ws[cfh]");
 	    $u_userfile = preg_replace("/ /", "%20", $u_userfile);
             $userfile_tmpname = $userfile->getTmpName();
 	    $err_header = HTML::h2(fmt("ERROR uploading '%s': ", $userfile_name));
-            if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")\$/",
+            if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")(\.|\$)/",
                            $userfile_name))
             {
             	$message->pushContent($err_header);
@@ -239,6 +239,9 @@ ws[cfh]");
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.22  2007/02/17 14:16:56  rurban
+// allow spaces in filenames
+//
 // Revision 1.21  2007/01/04 16:46:50  rurban
 // Support UPLOAD_USERDIR
 //
-- 
2.45.0