diff options
| -rw-r--r-- | system/core/Security.php | 51 | ||||
| -rw-r--r-- | system/libraries/Upload.php | 12 |
2 files changed, 21 insertions, 42 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index cd1cb1ab4..196d61144 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -115,36 +115,6 @@ class CI_Security { ); /** - * List of bad chars for sanitize filename - * - * @var array - */ - private $_filename_bad_str_rules = array( - 'default' => array( - '../', '<!--', '-->', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ), - 'windows' => array( - '\\', '/', ':', '*', '?', - '"', '<', '>', '|', - ), - ); - - /** * Class constructor * * @return void @@ -577,9 +547,26 @@ class CI_Security { * @param bool $relative_path Whether to preserve paths * @return string */ - public function sanitize_filename($str, $relative_path = FALSE, $rule = 'default') + public function sanitize_filename($str, $relative_path = FALSE) { - $bad = $this->_filename_bad_str_rules[$rule]; + $bad = array( + '../', '<!--', '-->', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); if ( ! $relative_path) { diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 62eca6fdb..85428044d 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -143,13 +143,6 @@ class CI_Upload { public $file_ext_tolower = FALSE; /** - * Filename Rule - * - * @var string - */ - public $filename_rule = 'default'; - - /** * Upload path * * @var string @@ -322,8 +315,7 @@ class CI_Upload { 'detect_mime' => TRUE, 'xss_clean' => FALSE, 'temp_prefix' => 'temp_file_', - 'client_name' => '', - 'filename_rule' => 'default', + 'client_name' => '' ); foreach ($defaults as $key => $val) @@ -480,7 +472,7 @@ class CI_Upload { // Sanitize the file name for security $CI =& get_instance(); - $this->file_name = $CI->security->sanitize_filename($this->file_name, FALSE, $this->filename_rule); + $this->file_name = $CI->security->sanitize_filename($this->file_name); // Truncate the file name if it's too long if ($this->max_filename > 0) |