From 393e0d71f4c5478bea53ff62ff818aebbabb3e40 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Wed, 22 May 2013 00:45:21 +0200
Subject: Update to MediaWiki 1.20.6

---
 includes/upload/UploadStash.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'includes/upload/UploadStash.php')

diff --git a/includes/upload/UploadStash.php b/includes/upload/UploadStash.php
index c7fd23a9..53a90582 100644
--- a/includes/upload/UploadStash.php
+++ b/includes/upload/UploadStash.php
@@ -422,6 +422,7 @@ class UploadStash {
 	 * @return string
 	 */
 	public static function getExtensionForPath( $path ) {
+		global $wgFileBlacklist;
 		// Does this have an extension?
 		$n = strrpos( $path, '.' );
 		$extension = null;
@@ -441,7 +442,15 @@ class UploadStash {
 			throw new UploadStashFileException( "extension is null" );
 		}
 
-		return File::normalizeExtension( $extension );
+		$extension = File::normalizeExtension( $extension );
+		if ( in_array( $extension, $wgFileBlacklist ) ) {
+			// The file should already be checked for being evil.
+			// However, if somehow we got here, we definitely
+			// don't want to give it an extension of .php and
+			// put it in a web accesible directory.
+			return '';
+		}
+		return $extension;
 	}
 
 	/**
-- 
cgit v1.2.2