From 9fea5620d935666490459d3be8c8aa3e326c6acf Mon Sep 17 00:00:00 2001
From: mystralkk <mystralkk@gmail.com>
Date: Sun, 3 May 2020 09:43:53 +0900
Subject: [PATCH] Fixed a bug where User Image Names not always compatible with
 OS (bug #1002)

---
 public_html/admin/topic.php   |  2 +-
 public_html/usersettings.php  | 45 ++++++++++++++---------------------
 system/classes/FileSystem.php |  3 ++-
 system/lib-article.php        |  4 ++--
 4 files changed, 23 insertions(+), 31 deletions(-)

diff --git a/public_html/admin/topic.php b/public_html/admin/topic.php
index fe3935879..1f0f41542 100644
--- a/public_html/admin/topic.php
+++ b/public_html/admin/topic.php
@@ -884,7 +884,7 @@ function handleIconUpload($tid)
     if (!empty($newIcon['name'])) {
         $pos = strrpos($newIcon['name'], '.') + 1;
         $fExtension = substr($newIcon['name'], $pos);
-        $filename = 'topic_' . $tid . '.' . $fExtension;
+        $filename = \Geeklog\FileSystem::normalizeFileName('topic_' . $tid . '.' . $fExtension);
     }
 
     // do the upload
diff --git a/public_html/usersettings.php b/public_html/usersettings.php
index e97668b82..e060976d9 100644
--- a/public_html/usersettings.php
+++ b/public_html/usersettings.php
@@ -871,10 +871,10 @@ function emailAddressExists($email, $uid)
 /**
  * Upload new photo, delete old photo
  *
- * @param    string $delete_photo 'on': delete old photo
+ * @param    string $deletePhoto 'on': delete old photo
  * @return   string                  filename of new photo (empty = no new photo)
  */
-function handlePhotoUpload($delete_photo = '')
+function handlePhotoUpload($deletePhoto = '')
 {
     global $_CONF, $_TABLES, $_USER, $LANG24;
 
@@ -918,35 +918,26 @@ function handlePhotoUpload($delete_photo = '')
     }
 
     $filename = '';
-    if (!empty($delete_photo) && ($delete_photo === 'on')) {
-        $delete_photo = true;
-    } else {
-        $delete_photo = false;
-    }
-
-    $curphoto = DB_getItem($_TABLES['users'], 'photo',
-        "uid = {$_USER['uid']}");
-    if (empty($curphoto)) {
-        $delete_photo = false;
+    $deletePhoto = (!empty($deletePhoto) && ($deletePhoto === 'on'));
+    $currentPhoto = DB_getItem($_TABLES['users'], 'photo', "uid = {$_USER['uid']}");
+    if (empty($currentPhoto)) {
+        $deletePhoto = false;
     }
 
     // see if user wants to upload a (new) photo
-    $newphoto = $_FILES['photo'];
-    if (!empty($newphoto['name'])) {
-        $pos = strrpos($newphoto['name'], '.') + 1;
-        $fextension = substr($newphoto['name'], $pos);
-        $filename = $_USER['username'] . '.' . $fextension;
-
-        if (!empty($curphoto) && ($filename != $curphoto)) {
-            $delete_photo = true;
-        } else {
-            $delete_photo = false;
-        }
+    $newPhoto = $_FILES['photo'];
+    if (!empty($newPhoto['name'])) {
+        $pos = strrpos($newPhoto['name'], '.') + 1;
+        $fExtension = substr($newPhoto['name'], $pos);
+
+        // Prevent a file name like '::ben.jpg' from being created
+        $filename = \Geeklog\FileSystem::normalizeFileName($_USER['username'] . '.' . $fExtension);
+        $deletePhoto = (!empty($currentPhoto) && ($filename !== $currentPhoto));
     }
 
     // delete old photo first
-    if ($delete_photo) {
-        USER_deletePhoto($curphoto);
+    if ($deletePhoto) {
+        USER_deletePhoto($currentPhoto);
     }
 
     // now do the upload
@@ -975,8 +966,8 @@ function handlePhotoUpload($delete_photo = '')
             COM_output($display);
             exit; // don't return
         }
-    } elseif (!$delete_photo && !empty($curphoto)) {
-        $filename = $curphoto;
+    } elseif (!$deletePhoto && !empty($currentPhoto)) {
+        $filename = $currentPhoto;
     }
 
     return $filename;
diff --git a/system/classes/FileSystem.php b/system/classes/FileSystem.php
index 0d56736cf..838d0676f 100644
--- a/system/classes/FileSystem.php
+++ b/system/classes/FileSystem.php
@@ -58,7 +58,8 @@ public static function normalizeFileName($path)
     {
         $fileName = basename($path);
         $fileName = preg_replace('@[\x00-\x1f\x5c\x7f<>:\"/|?*]@', '_', $fileName);
+        $dir = dirname($path);
 
-        return dirname($path) . DIRECTORY_SEPARATOR . $fileName;
+        return ($dir === '.') ? $fileName : $dir . DIRECTORY_SEPARATOR . $fileName;
     }
 }
diff --git a/system/lib-article.php b/system/lib-article.php
index 99ccb85de..0f75e6965 100644
--- a/system/lib-article.php
+++ b/system/lib-article.php
@@ -2701,8 +2701,8 @@ function service_submit_story($args, &$output, &$svc_msg)
                 if ($file['error'] == 0) {
                     $num = str_replace('file', '', $k);
                     $pos = strrpos($file['name'], '.') + 1;
-                    $fextension = substr($file['name'], $pos);
-                    $ai_fnames[$num] = $sid . '_' . $num . '.' . $fextension;
+                    $fExtension = substr($file['name'], $pos);
+                    $ai_fnames[$num] = $sid . '_' . $num . '.' . $fExtension;
                     $filenames[] = $ai_fnames[$num];
                     $uploadFiles[$num] = $file;
                 }