diff --git a/src/applications/files/storage/PhabricatorFile.php b/src/applications/files/storage/PhabricatorFile.php
index d2be63ad30..888d49234c 100644
--- a/src/applications/files/storage/PhabricatorFile.php
+++ b/src/applications/files/storage/PhabricatorFile.php
@@ -368,7 +368,19 @@ final class PhabricatorFile extends PhabricatorFileDAO
   }
 
   public static function normalizeFileName($file_name) {
-    return preg_replace('/[^a-zA-Z0-9.~_-]/', '_', $file_name);
+    $pattern = "@[\\x00-\\x19#%&+!~'\$\"\/=\\\\?<> ]+@";
+    $file_name = preg_replace($pattern, '_', $file_name);
+    $file_name = preg_replace('@_+@', '_', $file_name);
+    $file_name = trim($file_name, '_');
+
+    $disallowed_filenames = array(
+      '.'  => 'dot',
+      '..' => 'dotdot',
+      ''   => 'file',
+    );
+    $file_name = idx($disallowed_filenames, $file_name, $file_name);
+
+    return $file_name;
   }
 
   public function delete() {