file_yard.rb in instiki-0.10.2

- old
+ new

@@ -4,21 +4,21 @@
 class FileYard
 
   attr_reader :files_path
 
   def initialize(files_path, max_upload_size)
-    @files_path = files_path
-    @max_upload_size = max_upload_size
-    FileUtils.mkdir_p(files_path) unless File.exist?(files_path)
-    @files = Dir["#{files_path}/*"].collect{|path| File.basename(path) if File.file?(path) }.compact
+    @files_path, @max_upload_size = files_path, max_upload_size
+    FileUtils.mkdir_p(@files_path) unless File.exist?(@files_path)
+    @files = Dir["#{@files_path}/*"].collect{|path| File.basename(path) if File.file?(path) }.compact
   end
 
   def upload_file(name, io)
     sanitize_file_name(name)
     if io.kind_of?(Tempfile)
       io.close
       check_upload_size(io.size)
+      File.chmod(600, file_path(name)) if File.exists? file_path(name)
       FileUtils.mv(io.path, file_path(name))
     else
       content = io.read
       check_upload_size(content.length)
       File.open(file_path(name), 'wb') { |f| f.write(content) }
@@ -37,15 +37,15 @@
 
   def file_path(name)
     "#{files_path}/#{name}"
   end
 
-  SANE_FILE_NAME = /[-_\.A-Za-z0-9]{1,255}/
+  SANE_FILE_NAME = /[a-zA-Z0-9\-_\. ]{1,255}/
 
   def sanitize_file_name(name)
-    unless name =~ SANE_FILE_NAME
+    unless name =~ SANE_FILE_NAME or name == '.' or name == '..'
       raise Instiki::ValidationError.new("Invalid file name: '#{name}'.\n" +
-            "Only latin characters, digits, dots, underscores and dashes are accepted.")
+            "Only latin characters, digits, dots, underscores, dashes and spaces are accepted.")
     end
   end
   
   def check_upload_size(actual_upload_size)
     if actual_upload_size > @max_upload_size.kilobytes