I think it would probably better to try to list valid patterns rather than
invalid ones. Something like names can be letters, digits and underlines
(and maybe dashes). For example those matched by the perl pattern:
^[A-Za-z0-9_]+$
...that could be used to overwrite unexpected files when downloaded. This
doesn't protect people downloading campaigns from untrusted servers. That will
be a separate fix.
campaign_name is now set to the campaign_name and name is cleared (in
the event that a bad client were to set its value). The issue is that
the top level is treated as a directory entry, but the clients make a
special check for a null name. So if the name isn't null it is treated
as a directory name.
However there is still a security issue that I will be addressing in a
separate patch coming shortly.
The [dir] and [file] "name" attributes to not appear to be checked on either
upload or download and should really be checked in both places. It looks like
"name" can be checked to make sure it is not null and then use the same
valid filename check that is applied the campaign name.
...since those are only with literal strings to refer to another
domain than the one the file is attached to (typically to refer to
strings already existing in wesnoth-lib) - this is a revert of
2004-09-03T09:36:36Z!ydirson@free.fr. Commit also known as "everyone back to 100%" or so ;)
(though I am not sure perl really will give any back to the OS) before doing
the copy of the cached file, as that step doesn't need the undef'd data and
can take a while to run.
...it will sometimes pick up the same language twice for a given
campaign. (Currently Invasion of Eliador has this issue with sv.) This
isn't a problem on the campaign server side. However it looks bad on
the web page. So I now have the campaign list suppressing duplicate
langauges.
I also fixed a bug where the languages weren't sorted the intended way.
(except for when webtgz.pl successfully returns a tgz file).
I also changed webtgz.pl to only request campaign info for the campaign of
interest. In the future (after getting campaign summary info loaded for old
campaigns on the campaign server) this request won't be needed at all and will
be removed.
