From 219be3823e60d6550463265b295808aebb16d478 Mon Sep 17 00:00:00 2001
From: Aaron Schulz <aaron@users.mediawiki.org>
Date: Wed, 8 Feb 2012 09:00:31 +0000
Subject: [PATCH] Added some simple path validation to resolveContainerPath()
 in FSFileBackend. This makes file op batches a bit more robust.

---
 includes/filerepo/backend/FSFileBackend.php | 23 ++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/includes/filerepo/backend/FSFileBackend.php b/includes/filerepo/backend/FSFileBackend.php
index 4556eaa03c..e891c9dedf 100644
--- a/includes/filerepo/backend/FSFileBackend.php
+++ b/includes/filerepo/backend/FSFileBackend.php
@@ -61,12 +61,33 @@ class FSFileBackend extends FileBackendStore {
 	 * @see FileBackendStore::resolveContainerPath()
 	 */
 	protected function resolveContainerPath( $container, $relStoragePath ) {
+		// Check that container has a root directory
 		if ( isset( $this->containerPaths[$container] ) || isset( $this->basePath ) ) {
-			return $relStoragePath; // container has a root directory
+			// Check for sane relative paths (assume the base paths are OK)
+			if ( $this->isLegalRelPath( $relStoragePath ) ) {
+				return $relStoragePath;
+			}
 		}
 		return null;
 	}
 
+	/**
+	 * Sanity check a relative file system path for validity
+	 * 
+	 * @param $path string Normalized relative path
+	 */
+	protected function isLegalRelPath( $path ) {
+		// Check for file names longer than 255 chars
+		if ( preg_match( '![^/]{256}!', $path ) ) { // ext3/NTFS
+			return false;
+		}
+		if ( wfIsWindows() ) { // NTFS
+			return !preg_match( '![:*?"<>]!', $path );
+		} else {
+			return true;
+		}
+	}
+
 	/**
 	 * Given the short (unresolved) and full (resolved) name of
 	 * a container, return the file system path of the container.
-- 
2.20.1