--- loncom/publisher/loncfile.pm	2004/05/26 22:25:38	1.55
+++ loncom/publisher/loncfile.pm	2004/08/20 16:29:15	1.60
@@ -9,7 +9,7 @@
 #  and displays a page showing the results of the action.
 #
 #
-# $Id: loncfile.pm,v 1.55 2004/05/26 22:25:38 albertel Exp $
+# $Id: loncfile.pm,v 1.60 2004/08/20 16:29:15 www Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -164,6 +164,7 @@ sub URLToPath {
 sub url {
     my $fn=shift;
     $fn=~s/^\/home\/(\w+)\/public\_html/\/priv\/$1/;
+    $fn=&HTML::Entities::encode($fn,'<>"&');
     return $fn;
 }
 
@@ -288,11 +289,19 @@ sub checksuffix {
 }
 
 sub cleanDest {
-    my ($request,$dest)=@_;
+    my ($request,$dest,$subdir)=@_;
     #remove bad characters
-    if  ($dest=~/[\#\?&]/) {
+    my $foundbad=0;
+    if ($subdir && $dest =~/\./) {
+	$foundbad=1;
+	$dest=~s/\.//g;
+    }
+    if  ($dest=~/[\#\?&%\"]/) {
+	$foundbad=1;
+	$dest=~s/[\#\?&%\"]//g;
+    }
+    if ($foundbad) {
 	$request->print("<p><font color=\"red\">".&mt('Invalid characters in requested name have been removed.')."</font></p>");
-	$dest=~s/[\#\?&]//g;
     }
     return $dest;
 }
@@ -749,7 +758,9 @@ performed and reported to the user.
 sub phaseone {
     my ($r,$fn,$uname,$udom)=@_;
   
-    my $newfilename=&cleanDest($r,$ENV{'form.newfilename'});
+    my $doingdir=0;
+    if ($ENV{'form.action'} eq 'newdir') { $doingdir=1; }
+    my $newfilename=&cleanDest($r,$ENV{'form.newfilename'},$doingdir);
     $newfilename=&relativeDest($fn,$newfilename,$uname);
     $r->print('<form action="/adm/cfile" method="post">'.
 	      '<input type="hidden" name="qualifiedfilename" value="'.$fn.'" />'.
@@ -1116,7 +1127,7 @@ sub phasetwo {
 	    if(!&Rename2($r, $uname, $dir, $fn, $ENV{'form.newfilename'})) {
 		return;
 	    }
-	    $dest = &url($ENV{'form.newfilename'});
+	    $dest = $ENV{'form.newfilename'};
 	}
     } elsif ($ENV{'form.action'} eq 'delete') { 
 	if(!&Delete2($r, $uname, $ENV{'form.newfilename'})) {
@@ -1155,6 +1166,7 @@ sub handler {
 
     $r=shift;
 
+    &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['decompress','action','filename','newfilename']);
 
     &Debug($r, "loncfile.pm - handler entered");
     &Debug($r, " filename: ".$ENV{'form.filename'});
@@ -1173,7 +1185,6 @@ sub handler {
     }  elsif($ENV{'QUERY_STRING'} && $ENV{'form.phase'} ne 'two') {  
 	#Just hijack the script only the first time around to inject the
 	#correct information for further processing
-	&Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['decompress']);
 	$fn=&Apache::lonnet::unescape($ENV{'form.decompress'});
 	$fn=&URLToPath($fn);
 	$ENV{'form.action'}="decompress";