diff -Naur reference/moodlelib.php new/moodlelib.php
--- reference/moodlelib.php	2009-01-13 18:29:23.000000000 -0800
+++ new/moodlelib.php	2009-01-13 18:28:53.000000000 -0800
@@ -7422,8 +7422,7 @@
 //This function is used as callback in unzip_file() function
 //to clean illegal characters for given platform and to prevent directory traversal.
 //Produces the same result as info-zip unzip.
-    $p_header['filename'] = ereg_replace('[[:cntrl:]]', '', $p_header['filename']); //strip control chars first!
-    $p_header['filename'] = ereg_replace('\.\.+', '', $p_header['filename']); //directory traversal protection
+    $p_header['filename'] = clean_param($p_header['filename'], PARAM_PATH);	// generic test for bad characters
     if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
         $p_header['filename'] = ereg_replace('[:*"?<>|]', '_', $p_header['filename']); //replace illegal chars
         $p_header['filename'] = ereg_replace('^([a-zA-Z])_', '\1:', $p_header['filename']); //repair drive letter