=== modified file 'ChangeLog'
--- widelands-15/ChangeLog	2010-03-26 08:57:09 +0000
+++ widelands-15/ChangeLog	2011-03-05 15:40:23 +0000
@@ -1,3 +1,6 @@
+### Build 15.1
+- Fixed a potential security issue in internet games
+
 ### Build 15 rc2
 - Removed registering functionality for metaserver. This is to be compatible
   with future changes to the metaserver.

=== modified file 'WL_RELEASE'
--- widelands-15/WL_RELEASE	2010-04-10 16:16:12 +0000
+++ widelands-15/WL_RELEASE	2011-03-05 15:40:23 +0000
@@ -1,1 +1,1 @@
-build-15
+build-15.1

=== modified file 'src/editor/ui_menus/editor_main_menu_new_map.cc'
--- widelands-15/src/editor/ui_menus/editor_main_menu_new_map.cc	2009-11-22 23:03:13 +0000
+++ widelands-15/src/editor/ui_menus/editor_main_menu_new_map.cc	2011-03-05 15:40:23 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2002-2004, 2006-2009 by the Widelands Development Team
+ * Copyright (C) 2002-2004, 2006-2009, 2011 by the Widelands Development Team
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -113,7 +113,7 @@
 		 posx, posy, width, height,
 		 g_gr->get_picture(PicMod_UI, "pics/but1.png"),
 		 &Main_Menu_New_Map::button_clicked, *this, 4,
-		 Widelands::World::World(m_worlds[m_currentworld].c_str()).get_name());
+		 Widelands::World(m_worlds[m_currentworld].c_str()).get_name());
 
 	posy += height + spacing + spacing + spacing;
 
@@ -142,7 +142,7 @@
 		if (m_currentworld == m_worlds.size())
 			m_currentworld = 0;
 		m_world->set_title
-			(Widelands::World::World(m_worlds[m_currentworld].c_str()).get_name
+			(Widelands::World(m_worlds[m_currentworld].c_str()).get_name
 			 	());
 		break;
 	}

=== modified file 'src/editor/ui_menus/editor_main_menu_random_map.cc'
--- widelands-15/src/editor/ui_menus/editor_main_menu_random_map.cc	2009-11-24 09:43:42 +0000
+++ widelands-15/src/editor/ui_menus/editor_main_menu_random_map.cc	2011-03-05 15:40:23 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2002-2004, 2006-2009 by the Widelands Development Team
+ * Copyright (C) 2002-2004, 2006-2009, 2011 by the Widelands Development Team
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -272,7 +272,7 @@
 		 posx, posy, width, height,
 		 g_gr->get_picture(PicMod_UI, "pics/but1.png"),
 		 &Main_Menu_New_Random_Map::button_clicked, *this, 8,
-		 Widelands::World::World(m_worlds[m_currentworld].c_str()).get_name());
+		 Widelands::World(m_worlds[m_currentworld].c_str()).get_name());
 
 	posy += height + spacing + spacing + spacing;
 
@@ -343,7 +343,7 @@
 		if (m_currentworld == m_worlds.size())
 			m_currentworld = 0;
 		m_world->set_title
-			(Widelands::World::World(m_worlds[m_currentworld].c_str()).get_name());
+			(Widelands::World(m_worlds[m_currentworld].c_str()).get_name());
 		break;
 	case 9:
 		break;
@@ -476,7 +476,7 @@
 			(strcmp(mapInfo.worldName.c_str(), m_worlds[m_currentworld].c_str()))
 			++m_currentworld;
 		m_world->set_title
-			(Widelands::World::World(m_worlds[m_currentworld].c_str()).get_name());
+			(Widelands::World(m_worlds[m_currentworld].c_str()).get_name());
 
 		button_clicked(-1);  // Update other values in UI as well
 

=== modified file 'src/io/filesystem/filesystem.cc'
--- widelands-15/src/io/filesystem/filesystem.cc	2010-04-01 16:14:18 +0000
+++ widelands-15/src/io/filesystem/filesystem.cc	2011-03-05 15:40:23 +0000
@@ -112,6 +112,10 @@
 		temp = fixedpath.at(i);
 		if (temp == "\\")
 			fixedpath.at(i) = m_filesep;
+		// As a security measure, eat all dots and tildes away when file is
+		// tranferred over network.
+		if (temp == "." || temp == "~")
+			 fixedpath.at(i) = '-';
 	}
 	return fixedpath;
 #endif

=== modified file 'src/network/netclient.cc'
--- widelands-15/src/network/netclient.cc	2010-04-01 12:08:39 +0000
+++ widelands-15/src/network/netclient.cc	2011-03-05 15:40:23 +0000
@@ -35,6 +35,8 @@
 #include "warning.h"
 #include "wexception.h"
 #include "wlapplication.h"
+#include "game_io/game_loader.h"
+#include "map_io/widelands_map_loader.h"
 
 #include "ui_basic/messagebox.h"
 #include "ui_basic/progresswindow.h"
@@ -572,7 +574,7 @@
 				}
 			}
 			// Don't overwrite the file, better rename the original one
-			g_fs->Rename(path, "backup-" + path);
+			g_fs->Rename(path, backupFileName(path));
 		}
 
 		// Yes we need the file!
@@ -659,6 +661,40 @@
 				s.Unsigned8(NETCMD_CHAT);
 				s.String(_("/me 's file failed md5 checksumming."));
 				s.send(d->sock);
+				g_fs->Unlink(file->filename);
+			}
+			// Check file for validity
+			bool invalid = false;
+			if (d->settings.savegame) {
+				// Saved game check - does Widelands recognize the file as saved game?
+				Widelands::Game game;
+				try {
+					Widelands::Game_Loader gl(file->filename, game);
+				} catch (...) {
+					invalid = true;
+				}
+			} else {
+				// Map check - does Widelands recognize the file as map?
+				Widelands::Map map;
+				Widelands::Map_Loader * const ml = map.get_correct_loader(file->filename.c_str());
+				if (!ml)
+					invalid = true;
+			}
+			if (invalid) {
+				g_fs->Unlink(file->filename);
+				// Restore original file, if there was one before
+				if (g_fs->FileExists(backupFileName(file->filename)))
+					g_fs->Rename(backupFileName(file->filename), file->filename);
+
+				/* TODO Uncomment after Build16 string freeze
+				s.reset();
+				s.Unsigned8(NETCMD_CHAT);
+				s.String
+					(_
+					  ("/me checked the recieved file. Although md5 check summing succeded, "
+					   "I can not handle the file."));
+				s.send(d->sock);
+				*/
 			}
 		}
 		break;

=== modified file 'src/network/netclient.h'
--- widelands-15/src/network/netclient.h	2010-01-07 10:51:25 +0000
+++ widelands-15/src/network/netclient.h	2011-03-05 15:40:23 +0000
@@ -88,6 +88,9 @@
 	std::vector<ChatMessage> const & getMessages() const;
 
 private:
+	/// for unique backupname
+	std::string backupFileName(std::string & path) {return path + "~backup";}
+
 	NetTransferFile * file;
 
 	void syncreport();

