5 files changed, 57 insertions, 3 deletions

diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php
index 23aed8ac..fe6b03fc 100644
--- a/modules/gallery/helpers/album.php
+++ b/modules/gallery/helpers/album.php
@@ -34,12 +34,16 @@ class album_Core {
       ->error_messages("length", t("Your title is too long"));
     $group->textarea("description")->label(t("Description"));
     $group->input("name")->label(t("Directory name"))
-      ->error_messages("no_slashes", t("The directory name can't contain the \"/\" character"))
+      ->error_messages("no_slashes", t("The directory name can't contain a \"/\""))
+      ->error_messages("no_backslashes", t("The directory name can't contain a \"\\\""))
+      ->error_messages("no_trailing_period", t("The directory name can't end in \".\""))
       ->error_messages("required", t("You must provide a directory name"))
       ->error_messages("length", t("Your directory name is too long"))
       ->error_messages("conflict", t("There is already a movie, photo or album with this name"));
     $group->input("slug")->label(t("Internet Address"))
       ->error_messages(
+        "conflict", t("There is already a movie, photo or album with this internet address"))
+      ->error_messages(
         "reserved", t("This address is reserved and can't be used."))
       ->error_messages(
         "not_url_safe",
@@ -64,13 +68,14 @@ class album_Core {
     $group = $form->group("edit_item")->label(t("Edit Album"));
 
     $group->input("title")->label(t("Title"))->value($parent->title)
-        ->error_messages("required", t("You must provide a title"))
+      ->error_messages("required", t("You must provide a title"))
       ->error_messages("length", t("Your title is too long"));
     $group->textarea("description")->label(t("Description"))->value($parent->description);
     if ($parent->id != 1) {
       $group->input("name")->label(t("Directory Name"))->value($parent->name)
         ->error_messages("conflict", t("There is already a movie, photo or album with this name"))
         ->error_messages("no_slashes", t("The directory name can't contain a \"/\""))
+        ->error_messages("no_backslashes", t("The directory name can't contain a \"\\\""))
         ->error_messages("no_trailing_period", t("The directory name can't end in \".\""))
         ->error_messages("required", t("You must provide a directory name"))
         ->error_messages("length", t("Your directory name is too long"));
diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php
index d49be83f..f1604150 100644
--- a/modules/gallery/helpers/gallery_installer.php
+++ b/modules/gallery/helpers/gallery_installer.php
@@ -809,6 +809,26 @@ class gallery_installer {
         ->execute();
       module::set_version("gallery", $version = 57);
     }
+
+    if ($version == 57) {
+      // In v58 we changed the Item_Model validation code to disallow files or directories with
+      // backslashes in them, and we need to fix any existing items that have them.  This is
+      // pretty unlikely, as having backslashes would have probably already caused other issues for
+      // users, but we should check anyway.  This might be slow, but if it times out it can just
+      // pick up where it left off.
+      foreach (db::build()
+               ->from("items")
+               ->select("id")
+               ->where(db::expr("`name` REGEXP '\\\\\\\\'"), "=", 1)  // one \, 3x escaped
+               ->order_by("id", "asc")
+               ->execute() as $row) {
+        set_time_limit(30);
+        $item = ORM::factory("item", $row->id);
+        $item->name = str_replace("\\", "_", $item->name);
+        $item->save();
+      }
+      module::set_version("gallery", $version = 58);
+    }
   }
 
   static function uninstall() {
diff --git a/modules/gallery/helpers/legal_file.php b/modules/gallery/helpers/legal_file.php
index f8547011..9f02fe70 100644
--- a/modules/gallery/helpers/legal_file.php
+++ b/modules/gallery/helpers/legal_file.php
@@ -298,7 +298,7 @@ class legal_file_Core {
     $filename = str_replace("/", "_", $filename);
     $filename = str_replace("\\", "_", $filename);
 
-    // Remove extra dots from the filename.  This will also remove extraneous underscores.
+    // Remove extra dots from the filename.  Also removes extraneous and leading/trailing underscores.
     $filename = legal_file::smash_extensions($filename);
 
     // It's possible that the filename has no base (e.g. ".jpg") - if so, give it a generic one.
@@ -308,4 +308,31 @@ class legal_file_Core {
 
     return $filename;
   }
+
+  /**
+   * Sanitize a directory name for an album.  This returns a completely legal and valid
+   * directory name.
+   *
+   * @param  string $dirname (with no parent directory)
+   * @return string sanitized dirname
+   */
+  static function sanitize_dirname($dirname) {
+    // It should be a dirname without a parent directory - remove all slashes (and backslashes).
+    $dirname = str_replace("/", "_", $dirname);
+    $dirname = str_replace("\\", "_", $dirname);
+
+    // Remove extraneous and leading/trailing underscores.
+    $dirname = preg_replace("/[_]+/", "_", $dirname);
+    $dirname = trim($dirname, "_");
+
+    // Remove any trailing dots.
+    $dirname = rtrim($dirname, ".");
+
+    // It's possible that the dirname is now empty - if so, give it a generic one.
+    if (empty($dirname)) {
+      $dirname = "album";
+    }
+
+    return $dirname;
+  }
 }
diff --git a/modules/gallery/helpers/movie.php b/modules/gallery/helpers/movie.php
index 2f190881..4613df61 100644
--- a/modules/gallery/helpers/movie.php
+++ b/modules/gallery/helpers/movie.php
@@ -38,6 +38,7 @@ class movie_Core {
       ->error_messages(
         "conflict", t("There is already a movie, photo or album with this name"))
       ->error_messages("no_slashes", t("The movie name can't contain a \"/\""))
+      ->error_messages("no_backslashes", t("The movie name can't contain a \"\\\""))
       ->error_messages("no_trailing_period", t("The movie name can't end in \".\""))
       ->error_messages("illegal_data_file_extension", t("You cannot change the movie file extension"))
       ->error_messages("required", t("You must provide a movie file name"))
diff --git a/modules/gallery/helpers/photo.php b/modules/gallery/helpers/photo.php
index 004cc7c4..ecf81e66 100644
--- a/modules/gallery/helpers/photo.php
+++ b/modules/gallery/helpers/photo.php
@@ -35,6 +35,7 @@ class photo_Core {
     $group->input("name")->label(t("Filename"))->value($photo->name)
       ->error_messages("conflict", t("There is already a movie, photo or album with this name"))
       ->error_messages("no_slashes", t("The photo name can't contain a \"/\""))
+      ->error_messages("no_backslashes", t("The photo name can't contain a \"\\\""))
       ->error_messages("no_trailing_period", t("The photo name can't end in \".\""))
       ->error_messages("illegal_data_file_extension", t("You cannot change the photo file extension"))
       ->error_messages("required", t("You must provide a photo file name"))