# HG changeset patch
# User Yves-Marie Haussonne <1218002+ymph@users.noreply.github.com>
# Date 1385566570 -3600
# Node ID bb98a0de3bfdc9b32d35d21bb710b77923ace0a4
# Parent  8aca18c0da854f50b0ef9c296d468e235b53f404
sanitize filenames for hardheaded users

diff -r 8aca18c0da85 -r bb98a0de3bfd web/common.php
--- a/web/common.php	Wed Nov 27 13:23:08 2013 +0100
+++ b/web/common.php	Wed Nov 27 16:36:10 2013 +0100
@@ -407,17 +407,6 @@
 
 $realm = 'Polemictweet restricted area';
 
-/*function authenticate($users, $translate) {
-	if (!isset($_SESSION['user_id']))
-	{
-		// Fetch current URL
-		$this_url = $_SERVER['REQUEST_URI'];
-	
-		// Redirect to login page passing current URL
-		header('Location: login.php?return_url=' . urlencode($this_url));
-		exit;
-	}
-}*/
 
 function authenticate($users, $translate) {
 
@@ -485,3 +474,67 @@
 
 	return $needed_parts ? false : $data;
 }
+
+/**
+ * Modifies a string to remove all non ASCII characters and spaces.
+ */
+function slugify($text)
+{
+	// replace non letter or digits by -
+	$text = preg_replace('~[^\\pL\d]+~u', '-', $text);
+
+	// trim
+	$text = trim($text, '-');
+
+	// transliterate
+	if (function_exists('iconv'))
+	{
+		$text = iconv('utf-8', 'us-ascii//TRANSLIT', $text);
+	}
+
+	// lowercase
+	$text = strtolower($text);
+
+	// remove unwanted characters
+	$text = preg_replace('~[^-\w]+~', '', $text);
+
+	if (empty($text))
+	{
+		return 'n-a';
+	}
+
+	return $text;
+}
+
+
+// from http://www.house6.com/blog/?p=83
+function sanitize_filename($f) {
+	// a combination of various methods
+	// we don't want to convert html entities, or do any url encoding
+	// we want to retain the "essence" of the original file name, if possible
+	// char replace table found at:
+	// http://www.php.net/manual/en/function.strtr.php#98669
+	$replace_chars = array(
+			'Š'=>'S', 'š'=>'s', 'Ð'=>'Dj','Ž'=>'Z', 'ž'=>'z', 'À'=>'A', 'Á'=>'A', 'Â'=>'A', 'Ã'=>'A', 'Ä'=>'A',
+			'Å'=>'A', 'Æ'=>'A', 'Ç'=>'C', 'È'=>'E', 'É'=>'E', 'Ê'=>'E', 'Ë'=>'E', 'Ì'=>'I', 'Í'=>'I', 'Î'=>'I',
+			'Ï'=>'I', 'Ñ'=>'N', 'Ò'=>'O', 'Ó'=>'O', 'Ô'=>'O', 'Õ'=>'O', 'Ö'=>'O', 'Ø'=>'O', 'Ù'=>'U', 'Ú'=>'U',
+			'Û'=>'U', 'Ü'=>'U', 'Ý'=>'Y', 'Þ'=>'B', 'ß'=>'Ss','à'=>'a', 'á'=>'a', 'â'=>'a', 'ã'=>'a', 'ä'=>'a',
+			'å'=>'a', 'æ'=>'a', 'ç'=>'c', 'è'=>'e', 'é'=>'e', 'ê'=>'e', 'ë'=>'e', 'ì'=>'i', 'í'=>'i', 'î'=>'i',
+			'ï'=>'i', 'ð'=>'o', 'ñ'=>'n', 'ò'=>'o', 'ó'=>'o', 'ô'=>'o', 'õ'=>'o', 'ö'=>'o', 'ø'=>'o', 'ù'=>'u',
+			'ú'=>'u', 'û'=>'u', 'ý'=>'y', 'ý'=>'y', 'þ'=>'b', 'ÿ'=>'y', 'ƒ'=>'f'
+	);
+	$f = strtr($f, $replace_chars);
+	// convert & to "and", @ to "at", and # to "number"
+	$f = preg_replace(array('/[\&]/', '/[\@]/', '/[\#]/'), array('-and-', '-at-', '-number-'), $f);
+	$f = preg_replace('/[^(\x20-\x7F)]*/','', $f); // removes any special chars we missed
+	$f = str_replace(' ', '-', $f); // convert space to hyphen
+	$f = str_replace('\'', '', $f); // removes apostrophes
+	$f = preg_replace('/[^\w\-\.]+/', '', $f); // remove non-word chars (leaving hyphens and periods)
+	$f = preg_replace('/[\-]+/', '-', $f); // converts groups of hyphens into one
+	if (function_exists('iconv'))
+	{
+		$f = iconv('utf-8', 'us-ascii//TRANSLIT', $f);
+	}
+	
+	return strtolower($f);
+}
diff -r 8aca18c0da85 -r bb98a0de3bfd web/event_process.php
--- a/web/event_process.php	Wed Nov 27 13:23:08 2013 +0100
+++ b/web/event_process.php	Wed Nov 27 16:36:10 2013 +0100
@@ -34,43 +34,13 @@
     $zip->addEmptyDir("$event_title/images");
     foreach ($files as $key => $file_desc) {
     	if($file_desc['size']>0) {
-            $zip->addFile($file_desc['tmp_name'], "$event_title/images/".$file_desc['name']);
+            $zip->addFile($file_desc['tmp_name'], "$event_title/images/".sanitize_filename($file_desc['name']));
     	}
     }
     
     return $zip->close();
 }
 
-/**
- * Modifies a string to remove all non ASCII characters and spaces.
- */
-function slugify($text)
-{
-	// replace non letter or digits by -
-	$text = preg_replace('~[^\\pL\d]+~u', '-', $text);
-
-	// trim
-	$text = trim($text, '-');
-
-	// transliterate
-	if (function_exists('iconv'))
-	{
-		$text = iconv('utf-8', 'us-ascii//TRANSLIT', $text);
-	}
-
-	// lowercase
-	$text = strtolower($text);
-
-	// remove unwanted characters
-	$text = preg_replace('~[^-\w]+~', '', $text);
-
-	if (empty($text))
-	{
-		return 'n-a';
-	}
-
-	return $text;
-}
 
 ?>
 
@@ -150,7 +120,7 @@
 		}
 		
 		foreach ($_FILES as $key => $value) {
-			$config_values[$key] = "images/".basename($value['name']);
+			$config_values[$key] = "images/".sanitize_filename(basename($value['name']));
 		}
 		
 		$event_title = slugify($config_values['title']);