added filename prepping in the Upload library to prevent files with multiple extensions to potentially be parsed as a script by Apache
diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 2a3f53d..760d939 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -185,7 +185,7 @@
// Set the uploaded data as class variables
$this->file_temp = $_FILES[$field]['tmp_name'];
- $this->file_name = $_FILES[$field]['name'];
+ $this->file_name = $this->_prep_filename($_FILES[$field]['name']);
$this->file_size = $_FILES[$field]['size'];
$this->file_type = preg_replace("/^(.+?);.*$/", "\\1", $_FILES[$field]['type']);
$this->file_type = strtolower($this->file_type);
@@ -833,6 +833,46 @@
return ( ! isset($this->mimes[$mime])) ? FALSE : $this->mimes[$mime];
}
+ /**
+ * Prep Filename
+ *
+ * Prevents possible script execution from Apache's handling of files multiple extensions
+ * http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext
+ *
+ * @access private
+ * @param string
+ * @return string
+ */
+ function _prep_filename($filename)
+ {
+ if (strpos($filename, '.') === FALSE)
+ {
+ return $filename;
+ }
+
+ $parts = explode('.', $filename);
+ $ext = array_pop($parts);
+ $filename = array_shift($parts);
+
+ foreach ($parts as $part)
+ {
+ if ($this->mimes_types(strtolower($part)) === FALSE)
+ {
+ $filename .= '.'.$part.'_';
+ }
+ else
+ {
+ $filename .= '.'.$part;
+ }
+ }
+
+ $filename .= '.'.$ext;
+
+ return $filename;
+ }
+
+ // --------------------------------------------------------------------
+
}
// END Upload Class
?>
\ No newline at end of file