diff options
author | gommarah <gommarah@gmail.com> | 2013-01-28 12:45:50 +0100 |
---|---|---|
committer | gommarah <gommarah@gmail.com> | 2013-01-28 12:45:50 +0100 |
commit | 009c8f09fbe767b01453f32b28f8a8a8dd4ef7c5 (patch) | |
tree | bbdd8ce77e42839fb8c0c4f2f3a0d0074e9c5722 /system/libraries/Upload.php | |
parent | 606fee0e2e0aa6a906db82e77090e91f133d7378 (diff) |
Upload library, clean_file_name function: Fix xss bug.
For example: If you clear this string "%%3f3f" according to the $bad array will fail. The result will be "%3f"
Because str_replace() replaces left to right.
Signed-off-by: xeptor <servetozkan@live.com>
Diffstat (limited to 'system/libraries/Upload.php')
-rw-r--r-- | system/libraries/Upload.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 96bb17edc..86c93411e 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1005,6 +1005,13 @@ class CI_Upload { '%3d' // = ); + do + { + $old_filename = $filename; + $filename = str_replace($bad, '', $filename); + } + while ($old_filename !== $filename); + return stripslashes(str_replace($bad, '', $filename)); } |