From 08176de1e188b9a59e705c62a7bb63dcef63219d Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Tue, 12 Feb 2008 22:45:10 +0000
Subject: [PATCH] * (bug 3269) Inaccessible titles ending in '/.' or '/..' now
 forbidden.

---
 RELEASE-NOTES      | 1 +
 includes/Title.php | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 18d6e33cd0..bfbd4affc0 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -385,6 +385,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * (bug 12301) Allow maintenance/findhooks.php to search hooks in multiple directories.
 * (bug 7681, 11559) Cookie values no longer override GET and POST variables.
 * (bug 5262) Fully-qualified $wgStylePath no longer corrupted on XML feeds
+* (bug 3269) Inaccessible titles ending in '/.' or '/..' now forbidden.
 
 
 == Parser changes in 1.12 ==
diff --git a/includes/Title.php b/includes/Title.php
index ad7cc54300..4c08f85549 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -2032,7 +2032,9 @@ class Title {
 		       strpos( $dbkey, './' ) === 0  ||
 		       strpos( $dbkey, '../' ) === 0 ||
 		       strpos( $dbkey, '/./' ) !== false ||
-		       strpos( $dbkey, '/../' ) !== false ) )
+		       strpos( $dbkey, '/../' ) !== false  ||
+		       substr( $dbkey, -2 ) == '/.' ||
+		       substr( $dbkey, -3 ) == '/..' ) )
 		{
 			return false;
 		}
-- 
2.20.1