From 3a26dce3a0b70af3a2e008eea1cb51761a0646ec Mon Sep 17 00:00:00 2001
From: qronald <ronald.quenta@processmaker.com>
Date: Wed, 31 May 2017 14:28:37 -0400
Subject: [PATCH] HOR-3284

---
 workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
index 910c28eb0..6031bd8e8 100644
--- a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
@@ -152,7 +152,7 @@ class FilesManager
     {
         try {
             $aData['prf_path'] = rtrim($aData['prf_path'], '/') . '/';
-            if (!$aData['prf_filename']) {
+            if (!$aData['prf_filename'] || strpbrk($aData['prf_filename'], "\\/?%*:|\"<>") !== false) {
                 throw new \Exception(\G::LoadTranslation("ID_INVALID_VALUE_FOR", array('prf_filename')));
             }
             $extention = strstr($aData['prf_filename'], '.');