summaryrefslogtreecommitdiffstats
path: root/system/libraries/Upload.php
diff options
context:
space:
mode:
authorgommarah <gommarah@gmail.com>2013-01-28 12:45:50 +0100
committergommarah <gommarah@gmail.com>2013-01-28 12:45:50 +0100
commit009c8f09fbe767b01453f32b28f8a8a8dd4ef7c5 (patch)
treebbdd8ce77e42839fb8c0c4f2f3a0d0074e9c5722 /system/libraries/Upload.php
parent606fee0e2e0aa6a906db82e77090e91f133d7378 (diff)
Upload library, clean_file_name function: Fix xss bug.
For example: If you clear this string "%%3f3f" according to the $bad array will fail. The result will be "%3f" Because str_replace() replaces left to right. Signed-off-by: xeptor <servetozkan@live.com>
Diffstat (limited to 'system/libraries/Upload.php')
-rw-r--r--system/libraries/Upload.php7
1 files changed, 7 insertions, 0 deletions
diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 96bb17edc..86c93411e 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -1005,6 +1005,13 @@ class CI_Upload {
'%3d' // =
);
+ do
+ {
+ $old_filename = $filename;
+ $filename = str_replace($bad, '', $filename);
+ }
+ while ($old_filename !== $filename);
+
return stripslashes(str_replace($bad, '', $filename));
}