From 03626bc14248b7bde5c89be1c546f008e74d1538 Mon Sep 17 00:00:00 2001
From: Joshua Fontany <joshua.fontany@gmail.com>
Date: Sun, 3 Jan 2021 03:50:14 -0800
Subject: [PATCH] always test ext in tiddler title and remove it (#5329)

* always test ext in tiddler title and remove it

* patch custom ext length vulernability
---
 core/modules/utils/filesystem.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/core/modules/utils/filesystem.js b/core/modules/utils/filesystem.js
index c530b095d..9d05f7a8d 100644
--- a/core/modules/utils/filesystem.js
+++ b/core/modules/utils/filesystem.js
@@ -342,10 +342,6 @@ exports.generateTiddlerFilepath = function(title,options) {
 		filepath = originalpath.substring(0,originalpath.length - ext.length);
 	} else if(!filepath) {
 		filepath = title;
-		// If the filepath already ends in the extension then remove it
-		if(filepath.substring(filepath.length - extension.length) === extension) {
-			filepath = filepath.substring(0,filepath.length - extension.length);
-		}
 		// Remove any forward or backward slashes so we don't create directories
 		filepath = filepath.replace(/\/|\\/g,"_");
 	}
@@ -354,12 +350,20 @@ exports.generateTiddlerFilepath = function(title,options) {
 		// Don't let the filename start with any dots because such files are invisible on *nix
 		filepath = filepath.replace(/^\.+/g,"_");
 	}
+	// If the filepath already ends in the extension then remove it
+	if(filepath.substring(filepath.length - extension.length) === extension) {
+		filepath = filepath.substring(0,filepath.length - extension.length);
+	}
 	// Remove any characters that can't be used in cross-platform filenames
 	filepath = $tw.utils.transliterate(filepath.replace(/<|>|~|\:|\"|\||\?|\*|\^/g,"_"));
 	// Truncate the filename if it is too long
 	if(filepath.length > 200) {
 		filepath = filepath.substr(0,200);
 	}
+	// Truncate the extension if it is too long
+	if(extension.length > 32) {
+		extension = extension.substr(0,32);
+	}
 	// If the resulting filename is blank (eg because the title is just punctuation characters)
 	if(!filepath) {
 		// ...then just use the character codes of the title