3 files changed, 10 insertions, 3 deletions

diff --git a/admin/site_update.php b/admin/site_update.php
index 2861dc81f..40faec33e 100644
--- a/admin/site_update.php
+++ b/admin/site_update.php
@@ -208,7 +208,7 @@ SELECT id_uppercat, MAX(rank)+1 AS next_rank
   foreach (array_diff($fs_fulldirs, array_keys($db_fulldirs)) as $fulldir)
   {
     $dir = basename($fulldir);
-    if (preg_match('/^[a-zA-Z0-9-_.]+$/', $dir))
+    if (preg_match($conf['sync_chars_regex'], $dir))
     {
       $insert = array(
         'id'          => $next_id++,
@@ -374,7 +374,7 @@ SELECT id, path
       continue;
     }
     $filename = basename($path);
-    if (!preg_match('/^[a-zA-Z0-9-_.]+$/', $filename))
+    if (!preg_match($conf['sync_chars_regex'], $filename))
     {
       array_push(
         $errors,
diff --git a/i.php b/i.php
index 7dd2c6cb8..ffcd6a507 100644
--- a/i.php
+++ b/i.php
@@ -194,8 +194,12 @@ function parse_request()
   }
 
   $req = ltrim($req, '/');
-  !preg_match('#[^a-zA-Z0-9/_.-]#', $req) or ierror('Invalid chars in request', 400);
 
+  foreach (preg_split('#/+#', $req) as $token)
+  {
+    preg_match($conf['sync_chars_regex'], $token) or ierror('Invalid chars in request', 400);
+  }
+  
   $page['derivative_path'] = PHPWG_ROOT_PATH.PWG_DERIVATIVE_DIR.$req;
 
   $pos = strrpos($req, '.');
diff --git a/include/config_default.inc.php b/include/config_default.inc.php
index d09ebf302..7795f7731 100644
--- a/include/config_default.inc.php
+++ b/include/config_default.inc.php
@@ -746,6 +746,9 @@ $conf['ploader_download_linux'] = 'http://piwigo.org/ext/download.php?eid=269';
 // enable the synchronization method for adding photos
 $conf['enable_synchronization'] = true;
 
+// permitted characters for files/directoris during synchronization
+$conf['sync_chars_regex'] = '/^[a-zA-Z0-9-_.]+$/';
+
 // PEM url
 $conf['alternative_pem_url'] = '';