Closed eSilverStrike closed 2 years ago
The signature of the extract method of the split brain package contains a optional preg string to match include files and same for files to exclude. That would be a option to use and document it.
Fixed with change set 16276702bc25d743902d9e54e5c041d8229cea1e. Now valid characters are [0-9a-zA-Z_.-].
This issue is a summary from a discussion found here: #1100 as reported by remyKobolski
It also is related somewhat to #1002
Before/while Geeklog extracts a zip file should we scan the file names to determine if they are all compatible with the current web server OS?
For example Windows Servers filenames can have ":" and Linux cannot.
Basically, unzipping the plugin should not allow to extract such files: skip files that begin with a dot, have unprintable names, or contains characters like ‘<‘, ‘>’, ‘!’, ‘?’.
If a file is found the extraction should be aborted since we have no idea if the file is actually required.
The main thing this affects is installing/updating plugins from a zip file.
The other option for this is we include a requirement for plugins that all filenames used are compatible with any OS of the Web servers Geeklog supports. We can state this in the Wiki (and what not to use). We already make other somewhat similar assumptions that the plugin zip file is setup in a certain way and contains certain files.