From 15bb78d447f10fcca9095433e3cedbf40868f703 Mon Sep 17 00:00:00 2001
From: "Michael Kaufmann (d00p)" <d00p@froxlor.org>
Date: Mon, 9 Dec 2013 07:49:33 +0100
Subject: [PATCH] remove some special characters from directory-names when
 validating, fixes #1231 and pull-request 73 partly

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
---
 lib/functions/filedir/function.makeSecurePath.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/functions/filedir/function.makeSecurePath.php b/lib/functions/filedir/function.makeSecurePath.php
index c46a693f..5d3fc01a 100644
--- a/lib/functions/filedir/function.makeSecurePath.php
+++ b/lib/functions/filedir/function.makeSecurePath.php
@@ -26,12 +26,12 @@
  */
 function makeSecurePath($path) {
 
-	$search = Array(
+	$search = array(
 		'#/+#',
 		'#\.+#',
 		'#\0+#'
 	);
-	$replace = Array(
+	$replace = array(
 		'/',
 		'.',
 		''
@@ -41,5 +41,14 @@ function makeSecurePath($path) {
 	// it might be escaped already
 	$path = str_replace("\ ", " ", $path);
 	$path = str_replace(" ", "\ ", $path);
+
+	// check for bad characters, some are allowed with escaping
+	// but we generally don't want them in our directory-names,
+	// thx to aaronmueller for this snipped
+	$badchars = array(':', ';', '|', '&', '>', '<', '`', '$', '~', '?');
+	foreach ($badchars as $bc) {
+		str_replace($bc, "", $path);
+	}
+
 	return $path;
 }