From 2a28591bf7f4b3f46d663d73f975da4f09e8975c Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Tue, 5 Nov 2013 13:48:39 +0100
Subject: [PATCH] Loosened the filename validation on attachments

- filenames without extensions were blocked for example
---
 app/Controller/AttributesController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php
index ff76111fb..fa93489c5 100755
--- a/app/Controller/AttributesController.php
+++ b/app/Controller/AttributesController.php
@@ -317,7 +317,7 @@ class AttributesController extends AppController {
 			if ($this->request->data['Attribute']['malware']) {
 				$this->request->data['Attribute']['type'] = "malware-sample";
 				// Validate filename
-				if (!preg_match('@^[\w-,\s,\.]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
+				if (!preg_match('@^[\w\-. ]+$@', $filename)) throw new Exception ('Filename not allowed');
 				$this->request->data['Attribute']['value'] = $filename . '|' . hash_file('md5', $tmpfile->path); // TODO gives problems with bigger files
 				$sha256 = (hash_file('sha256', $tmpfile->path));
 				$sha1 = (hash_file('sha1', $tmpfile->path));
@@ -325,7 +325,7 @@ class AttributesController extends AppController {
 			} else {
 				$this->request->data['Attribute']['type'] = "attachment";
 				// Validate filename
-				if (!preg_match('@^[\w-,\s,\.]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
+				if (!preg_match('@^[\w\-. ]+$@', $filename)) throw new Exception ('Filename not allowed');
 				$this->request->data['Attribute']['value'] = $filename;
 				$this->request->data['Attribute']['to_ids'] = 0;
 			}