Ticket #16189: check for double periods.diff

wp-admin/includes/file.php

@@ -301 +301 @@
         $test_form = true;
         $test_size = true;
         $test_upload = true;
+        $test_filename = true;
 
         // If you override this, you must provide $ext and $type!!!!
         $test_type = true;
@@ -327 +328 @@
                 return call_user_func($upload_error_handler, $file, $error_msg);
         }
 
+        // Ensure filenames don't contain more than one contiguous period character
+        if ( $test_filename && stristr( $file['name'], '..' ) !== false )
+                return call_user_func($upload_error_handler, $file, __( 'Please rename your file to avoid ".." within the file name.' ));
+
         // A properly uploaded file will pass this test. There should be no reason to override this one.
         if ( $test_upload && ! @ is_uploaded_file( $file['tmp_name'] ) )
                 return call_user_func($upload_error_handler, $file, __( 'Specified file failed upload test.' ));