Upload library, clean_file_name function: Fix xss bug. For example: If you clear this string "%%3f3f" according to the $bad array will fail. The result will be "%3f" Because str_replace() replaces left to right. Signed-off-by: xeptor <servetozkan@live.com>

commit: 009c8f09fbe767b01453f32b28f8a8a8dd4ef7c5 [log] [tgz]
author: gommarah <gommarah@gmail.com> Mon Jan 28 13:45:50 2013 +0200
committer: gommarah <gommarah@gmail.com> Mon Jan 28 13:45:50 2013 +0200
tree: bbdd8ce77e42839fb8c0c4f2f3a0d0074e9c5722
parent: 606fee0e2e0aa6a906db82e77090e91f133d7378 [diff]
diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 96bb17e..86c9341 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php

@@ -1005,6 +1005,13 @@
 				'%3d'		// =
 			);
 
+		do
+		{
+			$old_filename = $filename;
+			$filename = str_replace($bad, '', $filename);
+		}
+		while ($old_filename !== $filename);
+
 		return stripslashes(str_replace($bad, '', $filename));
 	}
commit	009c8f09fbe767b01453f32b28f8a8a8dd4ef7c5	[log] [tgz]
author	gommarah <gommarah@gmail.com>	Mon Jan 28 13:45:50 2013 +0200
committer	gommarah <gommarah@gmail.com>	Mon Jan 28 13:45:50 2013 +0200
tree	bbdd8ce77e42839fb8c0c4f2f3a0d0074e9c5722
parent	606fee0e2e0aa6a906db82e77090e91f133d7378 [diff]