From bf4fd867a37dbf5892fb42484e303fb006f66327 Mon Sep 17 00:00:00 2001
From: Ryan Huffman <ryanhuffman@gmail.com>
Date: Thu, 22 Feb 2018 09:29:18 -0800
Subject: [PATCH] Add rejection for invalid manual backup names

---
 domain-server/src/DomainContentBackupManager.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/domain-server/src/DomainContentBackupManager.cpp b/domain-server/src/DomainContentBackupManager.cpp
index 9c72d64eea..e8deb79814 100644
--- a/domain-server/src/DomainContentBackupManager.cpp
+++ b/domain-server/src/DomainContentBackupManager.cpp
@@ -44,6 +44,7 @@ static const QString DATETIME_FORMAT { "yyyy-MM-dd_HH-mm-ss" };
 static const QString DATETIME_FORMAT_RE { "\\d{4}-\\d{2}-\\d{2}_\\d{2}-\\d{2}-\\d{2}" };
 static const QString AUTOMATIC_BACKUP_PREFIX { "autobackup-" };
 static const QString MANUAL_BACKUP_PREFIX { "backup-" };
+static const QString MANUAL_BACKUP_NAME_RE { "[a-zA-Z0-9\\-_ ]+" };
 
 void DomainContentBackupManager::addBackupHandler(BackupHandlerPointer handler) {
     _backupHandlers.push_back(std::move(handler));
@@ -561,9 +562,17 @@ void DomainContentBackupManager::createManualBackup(MiniPromise::Promise promise
         return;
     }
 
+
+    QRegExp nameRE { MANUAL_BACKUP_NAME_RE };
     bool success;
-    QString path;
-    std::tie(success, path) = createBackup(MANUAL_BACKUP_PREFIX, name);
+
+    if (!nameRE.exactMatch(name)) {
+        qDebug() << "Cannot create manual backup with invalid name: " << name;
+        success = false;
+    } else {
+        QString path;
+        std::tie(success, path) = createBackup(MANUAL_BACKUP_PREFIX, name);
+    }
 
     promise->resolve({
         { "success", success }