From 8f11bce904d188b29e180a11113b51fdfade60b0 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 16 May 2009 22:27:32 +0000
Subject: Don't allow photos, albums or movies to have a trailing period to
 avoid security problems.  Ref http://dev.kohanaphp.com/issues/684).

This plus r20823 resolves ticket #248.
---
 core/helpers/album.php | 4 +++-
 core/helpers/item.php  | 6 ++++++
 core/helpers/photo.php | 7 +++++--
 3 files changed, 14 insertions(+), 3 deletions(-)

(limited to 'core')

diff --git a/core/helpers/album.php b/core/helpers/album.php
index 1e0d1f7d..362b93d0 100644
--- a/core/helpers/album.php
+++ b/core/helpers/album.php
@@ -101,7 +101,9 @@ class album_Core {
     if ($parent->id != 1) {
       $group->input("dirname")->label(t("Directory Name"))->value($parent->name)
         ->callback("item::validate_no_slashes")
-        ->error_messages("no_slashes", t("The directory name can't contain the \"/\" character"));
+        ->error_messages("no_slashes", t("The directory name can't contain a \"/\""))
+        ->callback("item::validate_no_trailing_period")
+        ->error_messages("no_trailing_period", t("The directory name can't end in \".\""));
     }
 
     $sort_order = $group->group("sort_order", array("id" => "gAlbumSortOrder"))
diff --git a/core/helpers/item.php b/core/helpers/item.php
index bd54f2b1..8ff09535 100644
--- a/core/helpers/item.php
+++ b/core/helpers/item.php
@@ -78,4 +78,10 @@ class item_Core {
       $input->add_error("no_slashes", 1);
     }
   }
+
+ static function validate_no_trailing_period($input) {
+    if (rtrim($input->value, ".") !== $input->value) {
+      $input->add_error("no_trailing_period", 1);
+    }
+  }
 }
\ No newline at end of file
diff --git a/core/helpers/photo.php b/core/helpers/photo.php
index 8b0e1eab..9e468116 100644
--- a/core/helpers/photo.php
+++ b/core/helpers/photo.php
@@ -135,9 +135,12 @@ class photo_Core {
     $group->input("title")->label(t("Title"))->value($photo->title);
     $group->textarea("description")->label(t("Description"))->value($photo->description);
     $group->input("filename")->label(t("Filename"))->value($photo->name)
-      ->callback("item::validate_no_slashes")
       ->error_messages("conflict", t("There is already a file with this name"))
-      ->error_messages("no_slashes", t("The directory name can't contain the \"/\" character"));
+      ->callback("item::validate_no_slashes")
+      ->error_messages("no_slashes", t("The photo name can't contain a \"/\""))
+      ->callback("item::validate_no_trailing_period")
+      ->error_messages("no_trailing_period", t("The photo name can't end in \".\""));
+
     $group->submit("")->value(t("Modify"));
     $form->add_rules_from(ORM::factory("item"));
     return $form;
-- 
cgit v1.2.3