From 6eeaf66e2cedfa190cdea76078aa5dfccbddcd8d Mon Sep 17 00:00:00 2001
From: Hanno Heinrichs <hanno.heinrichs@rwth-aachen.de>
Date: Thu, 28 Jan 2016 22:40:54 +0100
Subject: [PATCH] prevent directory traversal in paths

---
 .../filedir/function.makeSecurePath.php       | 22 +++++++++----------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/lib/functions/filedir/function.makeSecurePath.php b/lib/functions/filedir/function.makeSecurePath.php
index cdcfb7e1..4cc3f9a3 100644
--- a/lib/functions/filedir/function.makeSecurePath.php
+++ b/lib/functions/filedir/function.makeSecurePath.php
@@ -26,15 +26,21 @@
  */
 function makeSecurePath($path) {
 
+	// check for bad characters, some are allowed with escaping
+	// but we generally don't want them in our directory-names,
+	// thx to aaronmueller for this snipped
+	$badchars = array(':', ';', '|', '&', '>', '<', '`', '$', '~', '?', "\0");
+	foreach ($badchars as $bc) {
+		$path = str_replace($bc, "", $path);
+	}
+
 	$search = array(
 		'#/+#',
-		'#\.+#',
-		'#\0+#'
+		'#\.+#'
 	);
 	$replace = array(
 		'/',
-		'.',
-		''
+		'.'
 	);
 	$path = preg_replace($search, $replace, $path);
 	// don't just replace a space with an escaped space
@@ -42,13 +48,5 @@ function makeSecurePath($path) {
 	$path = str_replace("\ ", " ", $path);
 	$path = str_replace(" ", "\ ", $path);
 
-	// check for bad characters, some are allowed with escaping
-	// but we generally don't want them in our directory-names,
-	// thx to aaronmueller for this snipped
-	$badchars = array(':', ';', '|', '&', '>', '<', '`', '$', '~', '?');
-	foreach ($badchars as $bc) {
-		$path = str_replace($bc, "", $path);
-	}
-
 	return $path;
 }