From 6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 27 Jan 2017 11:13:00 +0100
Subject: [PATCH] fixes #600, avoid html in web uploaded filenames

---
 action.php                             | 2 +-
 admin/include/functions_upload.inc.php | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/action.php b/action.php
index b87e16054..d800e4797 100644
--- a/action.php
+++ b/action.php
@@ -216,7 +216,7 @@ $http_headers[] = 'Content-Type: '.$ctype;
 
 if (isset($_GET['download']))
 {
-  $http_headers[] = 'Content-Disposition: attachment; filename="'.$element_info['file'].'";';
+  $http_headers[] = 'Content-Disposition: attachment; filename="'.htmlspecialchars_decode($element_info['file']).'";';
   $http_headers[] = 'Content-Transfer-Encoding: binary';
 }
 else
diff --git a/admin/include/functions_upload.inc.php b/admin/include/functions_upload.inc.php
index 900612fdd..cedebd14c 100644
--- a/admin/include/functions_upload.inc.php
+++ b/admin/include/functions_upload.inc.php
@@ -161,6 +161,11 @@ function add_uploaded_file($source_filepath, $original_filename=null, $categorie
 
   global $conf, $user;
 
+  if (!is_null($original_filename))
+  {
+    $original_filename = htmlspecialchars($original_filename);
+  }
+
   if (isset($original_md5sum))
   {
     $md5sum = $original_md5sum;