function testSanitizers()
{
$this->assertEquals("test.conf", wmeSanitizeConfigFile("test.conf"));
$this->assertEquals("te-st.conf", wmeSanitizeConfigFile("te-st.conf"));
$this->assertEquals("", wmeSanitizeConfigFile("test"));
$this->assertEquals("", wmeSanitizeConfigFile("test.png"));
$this->assertEquals("", wmeSanitizeConfigFile("index.php"));
$this->assertEquals("", wmeSanitizeConfigFile(".htaccess"));
$this->assertEquals("", wmeSanitizeConfigFile("../../conf/apache.conf"));
$this->assertEquals("", wmeSanitizeConfigFile("../../etc/passwd"));
$this->assertEquals("", wmeSanitizeConfigFile("file*.conf"));
$this->assertEquals("fish.ext1", wmeSanitizeFile("fish.ext1", array("ext1", "ext2")));
$this->assertEquals("", wmeSanitizeFile("fish.ext1", array("ext2", "ext3")));
$this->assertEquals("", wmeSanitizeFile("fish", array("ext2", "ext3")));
}
function wmeSanitizeConfigFile($filename)
{
# If we've been fed something other than a .conf filename, just pretend it didn't happen
$filename = wmeSanitizeFile($filename, array("conf"));
# on top of the url stuff, we don't ever need to see a / in a config filename
# (CVE-2013-3739)
if (strstr($filename, "/") !== false) {
$filename = "";
}
if (strstr($filename, "?") !== false) {
$filename = "";
}
if (strstr($filename, "*") !== false) {
$filename = "";
}
return $filename;
}
