[0000281] Filename saitization added

[fa-stable.git] / includes / main.inc

diff --git a/includes/main.inc b/includes/main.inc
index ee7564785f0d8d020ad50668938d9279799a22c5..3d94aeb6900d1a85583ece6eef587f33015c96b9 100644 (file)
--- a/includes/main.inc
+++ b/includes/main.inc
@@ -270,11 +270,12 @@ function check_write($path)
 function copy_files($flist, $from, $to, $strict=false)
 {
        foreach ($flist as $file) {
-               if (file_exists($from.'/'.$file))
+               if (file_exists($from.'/'.$file)) {
                        if (!copy_file($file, $from, $to))
                                return false;
-               if ($strict && !is_file($from.'/'.$file)) // if 
+               } else if ($strict) {
                                unlink($to.'/'.$file);
+               }
        }
        return true;
 }
@@ -326,11 +327,11 @@ function find_custom_file($rep)
                $extensions = $installed_extensions;
                foreach ($extensions as $ext)
                        if (($ext['active'] && $ext['type'] == 'extension')) {
-                               $local_path_to_root =
                                $path = $path_to_root.'/'.$ext['path'];
                                $file = $path.$rep;
                                if (file_exists($file)) {
                                        set_include_path($path.PATH_SEPARATOR.get_include_path());
+                                       $local_path_to_root = $path;
                                        return $file;
                                }
                        }
@@ -342,5 +343,13 @@ function find_custom_file($rep)
 
        return null;
 }
+/*
+       
+       Protect against directory traversal.
+       Changes all not POSIX compatible chars to underscore.
+*/
+function clean_file_name($filename) {
+    return preg_replace('/[^a-zA-Z0-9.\-_]/', '_', $filename);
+}
 
 ?>
\ No newline at end of file