From aad46951e0b144bcc744fdcf285e186654045b02 Mon Sep 17 00:00:00 2001
From: DHTMLGoodies <post@dhtmlgoodies.com>
Date: Wed, 28 Aug 2013 13:25:50 +0200
Subject: [PATCH] Sanitize file name

---
 PgnParser.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/PgnParser.php b/PgnParser.php
index a025004..a1a05f9 100644
--- a/PgnParser.php
+++ b/PgnParser.php
@@ -13,13 +13,25 @@ class PgnParser
     public function __construct($pgnFile = "", $fullParsing =true)
     {
         if ($pgnFile) {
-            $this->pgnFile = $pgnFile;
+            $this->pgnFile = $this->sanitize($pgnFile);
         }
         $this->_fullParsing = $fullParsing;
         $this->gameParser = new GameParser();
         $this->pgnGameParser = new PgnGameParser();
     }
 
+    private function sanitize($filePath){
+        $extension = $this->getExtension($filePath);
+        if($extension != 'pgn')return null;
+        if(substr($filePath,0,1)==="/")return null;
+        if(!file_exists($filePath))return null;
+        return preg_replace("/[^0-9\.a-z_\-]/si", "", $filePath);
+    }
+
+    private function getExtension($filePath){
+        $tokens = explode(".", $filePath);
+        return strtolower(array_pop($tokens));
+    }
 
 
     public function setPgnContent($content)