Disallow more patterns

Author: craigdietrich

system/application/libraries/File_Upload.php

@@ -9,7 +9,9 @@ public function __construct() {}
         // Upload a file (e.g., "Loocal Media Files")
         public function uploadMedia($slug,$chmodMode,$versions=null) {
             if (empty($_FILES)) throw new Exception('Could not find uploaded file');
+            $prepends = array('', 'media');
             $path =@ $_POST['slug_prepend'];
+            if (!in_array($path, $prepends)) throw new Exception('Invalid prepend');
             $targetPath = confirm_slash(FCPATH).$slug.$path;
             if (!file_exists($targetPath)) mkdir($targetPath, $chmodMode, true);
             $tempFile = $_FILES['source_file']['tmp_name'];
@@ -20,6 +22,7 @@ public function uploadMedia($slug,$chmodMode,$versions=null) {
                 $version = $versions->get($version_id);
                 $name = $version->url;
                 if (substr($name, 0, 6)=='media/') $name = substr($name, 6);  // Don't use ltrim() because of an apparent OS X bug (we have verifiable problems when a filename began with "em")
+                if (!$this->is_allowed($name)) throw new Exception('Invalid replacement name');
             }
             $targetFile = rtrim($targetPath,'/') . '/' . $name;
             $this->upload($tempFile,$targetFile,$chmodMode);