summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
authorHunter Wu <hunter.wu@gmail.com>2013-08-03 17:17:45 +0200
committerHunter Wu <hunter.wu@gmail.com>2013-08-03 17:17:45 +0200
commita8d6d3b13a0086c86e3dd69f0376be3a6982bc16 (patch)
tree8e6c90dfd04ae9e504cb3c855d8db4bca91c65b8 /system/core
parent8df3352dff5f734c1b3831fdc131f676a9850d51 (diff)
Make the bad filename array public in Security library
Diffstat (limited to 'system/core')
-rw-r--r--system/core/Security.php56
1 files changed, 38 insertions, 18 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 196d61144..3d04d5e12 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -38,6 +38,30 @@ defined('BASEPATH') OR exit('No direct script access allowed');
class CI_Security {
/**
+ * List of sanitize filename strings
+ *
+ * @var array
+ */
+ public $sanitize_filename_str = array(
+ '../', '<!--', '-->', '<', '>',
+ "'", '"', '&', '$', '#',
+ '{', '}', '[', ']', '=',
+ ';', '?', '%20', '%22',
+ '%3c', // <
+ '%253c', // <
+ '%3e', // >
+ '%0e', // >
+ '%28', // (
+ '%29', // )
+ '%2528', // (
+ '%26', // &
+ '%24', // $
+ '%3f', // ?
+ '%3b', // ;
+ '%3d' // =
+ );
+
+ /**
* XSS Hash
*
* Random Hash for protecting URLs.
@@ -541,6 +565,19 @@ class CI_Security {
// --------------------------------------------------------------------
/**
+ * Set Sanitize Filename Strings
+ *
+ * @param array $strings
+ * @return void
+ */
+ public function set_sanitize_filename_str($strings)
+ {
+ $this->sanitize_filename_str = $strings;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
* Sanitize Filename
*
* @param string $str Input file name
@@ -549,24 +586,7 @@ class CI_Security {
*/
public function sanitize_filename($str, $relative_path = FALSE)
{
- $bad = array(
- '../', '<!--', '-->', '<', '>',
- "'", '"', '&', '$', '#',
- '{', '}', '[', ']', '=',
- ';', '?', '%20', '%22',
- '%3c', // <
- '%253c', // <
- '%3e', // >
- '%0e', // >
- '%28', // (
- '%29', // )
- '%2528', // (
- '%26', // &
- '%24', // $
- '%3f', // ?
- '%3b', // ;
- '%3d' // =
- );
+ $bad = $this->sanitize_filename_str;
if ( ! $relative_path)
{