From 5d9e41d2aed9c0e175e3ea0ecbf74efcc1c18119 Mon Sep 17 00:00:00 2001
From: Tobias Reich <tobias.reich.ich@gmail.com>
Date: Sat, 30 Aug 2014 19:18:09 +0200
Subject: [PATCH] Escape photo download title

---
 php/modules/Photo.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/php/modules/Photo.php b/php/modules/Photo.php
index e88487d..9a2b0c0 100755
--- a/php/modules/Photo.php
+++ b/php/modules/Photo.php
@@ -588,9 +588,18 @@ class Photo extends Module {
 			return false;
 		}
 
+		# Illicit chars
+		$badChars =	array_merge(
+						array_map('chr', range(0,31)),
+						array("<", ">", ":", '"', "/", "\\", "|", "?", "*")
+					);
+
 		# Parse title
 		if ($photo->title=='') $photo->title = 'Untitled';
 
+		# Escape title
+		$zipTitle = str_replace($badChars, '', $zipTitle);
+
 		# Set headers
 		header("Content-Type: application/octet-stream");
 		header("Content-Disposition: attachment; filename=\"" . $photo->title . $extension . "\"");