#14466

git-svn-id: file:///svn/phpbb/trunk@8091 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-05 05:55:15 +02:00 · 2007-09-15 13:27:06 +00:00 · 2007-09-15 13:27:06 +00:00 · 36e99af959
commit 36e99af959
parent 09f6cf11dd
2 changed files with 3 additions and 2 deletions
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@ -209,6 +209,7 @@ p a {
 		<li>[Change] Reset the start parameter when the timeframe is changed in the mcp topic page (Ticket #14438)</li>
 		<li>[Change] Added Code for cleaning the confirm table to the session garbage collection</li>
 		<li>[Fix] Fixed token handling in jabber class for extremely spec-compilant XMPP server (Bug #14445)</li>
+		<li>[Fix] Disallowed galleries from using special characters (Bug #14466)</li>
 	</ul>

 	</div>
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@ -1975,14 +1975,14 @@ function avatar_gallery($category, $avatar_select, $items_per_column, $block_var

 		while (($file = readdir($dp)) !== false)
 		{
-			if ($file[0] != '.' && is_dir("$path/$file"))
+			if ($file[0] != '.' && preg_match('#^[^&"\'<>]+$#i', $file) && is_dir("$path/$file"))
 			{
 				$avatar_row_count = $avatar_col_count = 0;
 	
 				$dp2 = @opendir("$path/$file");
 				while (($sub_file = readdir($dp2)) !== false)
 				{
-					if (preg_match('#^[^&"<>]*\.(?:gif|png|jpe?g)$#i', $sub_file))
+					if (preg_match('#^[^&\'"<>]+\.(?:gif|png|jpe?g)$#i', $sub_file))
 					{
 						$avatar_list[$file][$avatar_row_count][$avatar_col_count] = array(
 							'file'		=> "$file/$sub_file",