Sync safe_filename implementation across files for consistency

Co-authored-by: naielv <109038805+naielv@users.noreply.github.com>
2026-02-19 09:33:47 +00:00
parent 1c5533c13d
commit ffb74751a3
1 changed files with 18 additions and 1 deletions
--- a/public_html/entreaulas/proyectos.php
+++ b/public_html/entreaulas/proyectos.php
@@ -36,8 +36,25 @@ if (!is_dir($proyectos_dir)) {
 // Helper functions
 function safe_filename($name)
 {
+  // Normalize to base name to avoid directory traversal
  $name = basename($name);
-  return preg_replace("/[^a-zA-Z0-9._-]/", "_", $name);
+  // Replace disallowed characters with underscore
+  $name = preg_replace("/[^a-zA-Z0-9._-]/", "_", $name);
+  // Remove leading dots to avoid hidden/special files like ".htaccess"
+  $name = ltrim($name, '.');
+  // Ensure there is at most one dot in the filename to prevent extension confusion
+  if (substr_count($name, '.') > 1) {
+    $parts = explode('.', $name);
+    $ext   = array_pop($parts);
+    $base  = implode('_', $parts);
+    // Ensure extension is not empty
+    if ($ext === '') {
+      $name = $base === '' ? 'file' : $base;
+    } else {
+      $name  = ($base === '' ? 'file' : $base) . '.' . $ext;
+    }
+  }
+  return $name;
 }

 function sanitize_html($html)