diff MoinMoin/web/static/htdocs/applets/FCKeditor/editor/filemanager/connectors/py/fckutil.py @ 5144:12d27670e274

merged moin/1.8
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 14 Sep 2009 02:47:11 +0200
parents wiki/htdocs/applets/FCKeditor/editor/filemanager/connectors/py/fckutil.py@287faf79876f wiki/htdocs/applets/FCKeditor/editor/filemanager/connectors/py/fckutil.py@a6461afbc0ce
children 9c27b8589342
line wrap: on
line diff
--- a/MoinMoin/web/static/htdocs/applets/FCKeditor/editor/filemanager/connectors/py/fckutil.py	Mon Sep 14 01:59:33 2009 +0200
+++ b/MoinMoin/web/static/htdocs/applets/FCKeditor/editor/filemanager/connectors/py/fckutil.py	Mon Sep 14 02:47:11 2009 +0200
@@ -62,17 +62,17 @@
 def sanitizeFolderName( newFolderName ):
 	"Do a cleanup of the folder name to avoid possible problems"
 	# Remove . \ / | : ? * " < > and control characters
-	return re.sub( '(?u)\\.|\\\\|\\/|\\||\\:|\\?|\\*|"|<|>|[^\u0000-\u001f\u007f-\u009f]', '_', newFolderName )
+	return re.sub( '\\.|\\\\|\\/|\\||\\:|\\?|\\*|"|<|>|[\x00-\x1f\x7f-\x9f]', '_', newFolderName )
 
 def sanitizeFileName( newFileName ):
 	"Do a cleanup of the file name to avoid possible problems"
 	# Replace dots in the name with underscores (only one dot can be there... security issue).
 	if ( Config.ForceSingleExtension ): # remove dots
-		newFileName = re.sub ( '/\\.(?![^.]*$)/', '_', newFileName ) ;
+		newFileName = re.sub ( '\\.(?![^.]*$)', '_', newFileName ) ;
 	newFileName = newFileName.replace('\\','/')		# convert windows to unix path
 	newFileName = os.path.basename (newFileName)	# strip directories
 	# Remove \ / | : ? *
-	return re.sub ( '(?u)/\\\\|\\/|\\||\\:|\\?|\\*|"|<|>|[^\u0000-\u001f\u007f-\u009f]/', '_', newFileName )
+	return re.sub ( '\\\\|\\/|\\||\\:|\\?|\\*|"|<|>|[\x00-\x1f\x7f-\x9f]/', '_', newFileName )
 
 def getCurrentFolder(currentFolder):
 	if not currentFolder:
@@ -92,6 +92,10 @@
 	if '..' in currentFolder or '\\' in currentFolder:
 		return None
 
+	# Check for invalid folder paths (..)
+	if re.search( '(/\\.)|(//)|([\\\\:\\*\\?\\""\\<\\>\\|]|[\x00-\x1F]|[\x7f-\x9f])', currentFolder ):
+		return None
+
 	return currentFolder
 
 def mapServerPath( environ, url):