www: tighten up allowable filenames for attachments

[public-inbox.git] / lib / PublicInbox / View.pm

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index ec5f39076eccc64d15d87699ca8919e2b4d3200f..21949812d5789131bb6bba536ed582e334c38edb 100644 (file)
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -261,7 +261,7 @@ sub attach_link ($$$$) {
        $desc = $fn unless defined $desc;
        $desc = '' unless defined $desc;
        my $sfn;
-       if (defined $fn && $fn =~ /\A[\w\.-]+[a-zA-Z0-9]\z/) {
+       if (defined $fn && $fn =~ /\A[[:alnum:]][\w\.-]+[[:alnum:]]\z/) {
                $sfn = $fn;
        } elsif ($ct eq 'text/plain') {
                $sfn = 'a.txt';