Index: openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl,v
diff -u -r1.368.2.148 -r1.368.2.149
--- openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl	20 Dec 2023 11:04:28 -0000	1.368.2.148
+++ openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl	20 Dec 2023 13:13:20 -0000	1.368.2.149
@@ -1519,8 +1519,18 @@
     ::security::csrf::validate
 
     set disposition [:query_parameter disposition:wordchar File]
-    set fileName [:query_parameter name:graph [ns_queryget upload]]
 
+    #
+    # Filename is sanitized. If it turns out to be made only of
+    # invalid characters, we complain.
+    #
+    set fileName [ad_sanitize_filename \
+                      [ns_queryget name [ns_queryget upload]]]
+    if {[string length $filename] == 0} {
+      ad_return_complaint 1 [_ acs-templating.Invalid_filename]
+      ad_script_abort
+    }
+
     set dispositionClass ::xowiki::UploadFile
     if {[info commands ::xowiki::Upload$disposition] ne ""} {
       set dispositionClass ::xowiki::Upload$disposition