From e38b993408530ccabe54c76e52785c9c15efa94d Mon Sep 17 00:00:00 2001 From: Anh Nhan Nguyen Date: Fri, 22 Mar 2013 10:51:20 -0700 Subject: [PATCH] Allow more characters in a file name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Summary: Refs T1692 - Borrows from D5192, means suffers from the same problems, too (RTL markers and some more) Extended the list hidden characters though, some characters of which I thought could confuse other parts of Phabricator Test Plan: uploaded some files with a suspicious name of ##[[ .,-#'*`hey`?#+~!"$%&?汉字漢字 seig## Came out as `[[_.,-_*_hey_汉字漢字_seig` Looks reasonable enough for me Reviewers: epriestley, btrahan Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T1692 Differential Revision: https://secure.phabricator.com/D5413 --- src/applications/files/storage/PhabricatorFile.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/applications/files/storage/PhabricatorFile.php b/src/applications/files/storage/PhabricatorFile.php index d2be63ad30..888d49234c 100644 --- a/src/applications/files/storage/PhabricatorFile.php +++ b/src/applications/files/storage/PhabricatorFile.php @@ -368,7 +368,19 @@ final class PhabricatorFile extends PhabricatorFileDAO } public static function normalizeFileName($file_name) { - return preg_replace('/[^a-zA-Z0-9.~_-]/', '_', $file_name); + $pattern = "@[\\x00-\\x19#%&+!~'\$\"\/=\\\\?<> ]+@"; + $file_name = preg_replace($pattern, '_', $file_name); + $file_name = preg_replace('@_+@', '_', $file_name); + $file_name = trim($file_name, '_'); + + $disallowed_filenames = array( + '.' => 'dot', + '..' => 'dotdot', + '' => 'file', + ); + $file_name = idx($disallowed_filenames, $file_name, $file_name); + + return $file_name; } public function delete() {