Last modified: 2014-08-22 12:32:36 UTC
Currently, the maintenance/cleanupImages.php script will happily move files to names that would not be permitted for new uploads. Most glaringly, the current implementation of ImageCleanup::buildSafeTitle() may deliberately insert backslashes into file names, even though wfBaseName(), as called from UploadBase::getTitle() via wfStripIllegalFilenameChars(), explicitly says that "we don't want \s in our [...] paths".
Confirming that ./includes/upload/UploadBase.php calls wfStripIllegalFilenameChars while ./maintenance/cleanupImages.php does not.