diff options
| author | Andrey Andreev <narf@devilix.net> | 2013-08-04 12:28:18 +0200 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2013-08-04 12:28:18 +0200 |
| commit | 4201aba8afefedf1b2f13d4f2402b77f6fe4d493 (patch) | |
| tree | 6af7eeb78fdef0681d8215d44124c79e0395f8a8 | |
| parent | c958eebea2525133bcef9fe47a5dfab9e23128dd (diff) | |
| parent | 4495cc740c1c0e382cc62d3d174abd17c0b4d84f (diff) | |
Merge pull request #2575 from wmh/filename_rule
Add windows filename rule as an option for upload files
| -rw-r--r-- | system/core/Security.php | 43 | ||||
| -rw-r--r-- | user_guide_src/source/changelog.rst | 1 |
2 files changed, 26 insertions, 18 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..70cf3e013 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -38,6 +38,30 @@ defined('BASEPATH') OR exit('No direct script access allowed'); class CI_Security { /** + * List of sanitize filename strings + * + * @var array + */ + public $filename_bad_chars = array( + '../', '<!--', '-->', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); + + /** * XSS Hash * * Random Hash for protecting URLs. @@ -549,24 +573,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = array( - '../', '<!--', '-->', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->filename_bad_chars; if ( ! $relative_path) { diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4cef0e683..fd1ce2dc0 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -416,6 +416,7 @@ Release Date: Not Released - Added method ``strip_image_tags()``. - Added ``$config['csrf_regeneration']``, which makes token regeneration optional. - Added ``$config['csrf_exclude_uris']``, which allows you list URIs which will not have the CSRF validation methods run. + - Changed ``sanitize_filename()``, makes filename_bad_chars a public property. - :doc:`URI Routing <general/routing>` changes include: |