Replace CI_Upload::clean_file_name() usage with CI_Security::sanitize_filename()
Also applied @xeptor's fix (a big thanks) to the sanitize_filename() method and added a changelog entry for it - fixes issue #73.
diff --git a/system/core/Security.php b/system/core/Security.php
index a6cd14a..7aae54e 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -576,7 +576,15 @@
}
$str = remove_invisible_characters($str, FALSE);
- return stripslashes(str_replace($bad, '', $str));
+
+ do
+ {
+ $old = $str;
+ $str = str_replace($bad, '', $str);
+ }
+ while ($old !== $str);
+
+ return stripslashes($str);
}
// ----------------------------------------------------------------
diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 1f0bd6a..814ea68 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -463,7 +463,8 @@
}
// Sanitize the file name for security
- $this->file_name = $this->clean_file_name($this->file_name);
+ $CI =& get_instance();
+ $this->file_name = $CI->security->sanitize_filename($this->file_name);
// Truncate the file name if it's too long
if ($this->max_filename > 0)
@@ -971,53 +972,6 @@
// --------------------------------------------------------------------
/**
- * Clean the file name for security
- *
- * @param string $filename
- * @return string
- */
- public function clean_file_name($filename)
- {
- $bad = array(
- '<!--', '-->',
- "'", '"',
- '<', '>',
- '&', '$',
- '=',
- ';',
- '?',
- '/',
- '!',
- '#',
- '%20',
- '%22',
- '%3c', // <
- '%253c', // <
- '%3e', // >
- '%0e', // >
- '%28', // (
- '%29', // )
- '%2528', // (
- '%26', // &
- '%24', // $
- '%3f', // ?
- '%3b', // ;
- '%3d' // =
- );
-
- do
- {
- $old_filename = $filename;
- $filename = str_replace($bad, '', $filename);
- }
- while ($old_filename !== $filename);
-
- return stripslashes($filename);
- }
-
- // --------------------------------------------------------------------
-
- /**
* Limit the File Name Length
*
* @param string $filename