From 0ffdbc5efd7d1e757852df970f57b24cfc0f189b Mon Sep 17 00:00:00 2001
From: chrisbethelepb <bethelcm@epb.net>
Date: Wed, 12 Sep 2018 13:37:21 -0400
Subject: [PATCH] Relax restrictions on MediaLibrary filenames (#3778)

Fixes #3741. Credit to @chrisbethelepb
---
 modules/system/classes/MediaLibrary.php       | 24 +++++++++++++++----
 .../unit/system/classes/MediaLibraryTest.php  |  4 ++++
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/modules/system/classes/MediaLibrary.php b/modules/system/classes/MediaLibrary.php
index 045f5840b..941f6c757 100644
--- a/modules/system/classes/MediaLibrary.php
+++ b/modules/system/classes/MediaLibrary.php
@@ -475,7 +475,23 @@ class MediaLibrary
         /*
          * Validate folder names
          */
-        if (!preg_match('/^[\w@\.\s_\-\/]+$/iu', $path)) {
+        $regexWhitelist = [
+            '\w', // any word character
+            preg_quote('@', '/'),
+            preg_quote('.', '/'),
+            '\s', // whitespace character
+            preg_quote('-', '/'),
+            preg_quote('_', '/'),
+            preg_quote('/', '/'),
+            preg_quote('(', '/'),
+            preg_quote(')', '/'),
+            preg_quote('[', '/'),
+            preg_quote(']', '/'),
+            preg_quote(',', '/'),
+            preg_quote('=', '/'),
+        ];
+
+        if (!preg_match('/^[' . implode('', $regexWhitelist) . ']+$/iu', $path)) {
             throw new ApplicationException(Lang::get('system::lang.media.invalid_path', compact('path')));
         }
 
@@ -686,21 +702,21 @@ class MediaLibrary
             switch ($sortSettings['by']) {
                 case self::SORT_BY_TITLE:
                     $result = strcasecmp($a->path, $b->path);
-                break;
+                    break;
                 case self::SORT_BY_SIZE:
                     if ($a->size < $b->size) {
                         $result = -1;
                     } else {
                         $result = $a->size > $b->size ? 1 : 0;
                     }
-                break;
+                    break;
                 case self::SORT_BY_MODIFIED:
                     if ($a->lastModified < $b->lastModified) {
                         $result = -1;
                     } else {
                         $result = $a->lastModified > $b->lastModified ? 1 : 0;
                     }
-                break;
+                    break;
             }
 
             // Reverse the polarity of the result to direct sorting in a descending order instead
diff --git a/tests/unit/system/classes/MediaLibraryTest.php b/tests/unit/system/classes/MediaLibraryTest.php
index 8adaaf54f..55c027544 100644
--- a/tests/unit/system/classes/MediaLibraryTest.php
+++ b/tests/unit/system/classes/MediaLibraryTest.php
@@ -33,6 +33,10 @@ class MediaLibraryTest extends TestCase // @codingStandardsIgnoreLine
             ['file.ext'],
             ['file..ext'],
             ['file...ext'],
+            ['one,two.ext'],
+            ['one(two)[].ext'],
+            ['one=(two)[].ext'],
+            ['one_(two)[].ext'],
         ];
     }