From 8c70783d5aa2050901911beae44c44afbedaf636 Mon Sep 17 00:00:00 2001
From: Ryan <ryantl66@gmail.com>
Date: Thu, 8 May 2025 04:58:57 -0400
Subject: [PATCH] fix(upload): relax filename validation regex to allow broader
 Unicode and special chars (closes #29)

---
 CHANGELOG.md      | 1 +
 config/config.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab61c7a..3186009 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@
   - Defined `AUTH_HEADER` (normalized, e.g. `"X_REMOTE_USER"`) based on `loginOptions.authHeaderName`.
 - Inserted a **proxy-only auto-login** block *before* the usual session/auth checks:  
   If `AUTH_BYPASS` is true and the trusted header (`$_SERVER['HTTP_' . AUTH_HEADER]`) is present, bump the session, mark the user authenticated/admin, load their permissions, and skip straight to JSON output.
+- Relax filename validation regex to allow broader Unicode and special chars
 
 ### src/controllers/AdminController.php
 
diff --git a/config/config.php b/config/config.php
index 2be927b..64f754c 100644
--- a/config/config.php
+++ b/config/config.php
@@ -30,7 +30,7 @@ define('DATE_TIME_FORMAT','m/d/y  h:iA');
 define('TOTAL_UPLOAD_SIZE','5G');
 define('REGEX_FOLDER_NAME', '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u');
 define('PATTERN_FOLDER_NAME','[\p{L}\p{N}_\-\s\/\\\\]+');
-define('REGEX_FILE_NAME',  '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u');
+define('REGEX_FILE_NAME', '/^[^\x00-\x1F\/\\\\]{1,255}$/u');
 define('REGEX_USER',       '/^[\p{L}\p{N}_\- ]+$/u');
 
 date_default_timezone_set(TIMEZONE);