From 009c8f09fbe767b01453f32b28f8a8a8dd4ef7c5 Mon Sep 17 00:00:00 2001
From: gommarah <gommarah@gmail.com>
Date: Mon, 28 Jan 2013 13:45:50 +0200
Subject: Upload library, clean_file_name function: Fix xss bug.

For example: If you clear this string "%%3f3f" according to the $bad array will fail. The result will be "%3f"
Because str_replace() replaces left to right.

Signed-off-by: xeptor <servetozkan@live.com>
---
 system/libraries/Upload.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 96bb17edc..86c93411e 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -1005,6 +1005,13 @@ class CI_Upload {
 				'%3d'		// =
 			);
 
+		do
+		{
+			$old_filename = $filename;
+			$filename = str_replace($bad, '', $filename);
+		}
+		while ($old_filename !== $filename);
+
 		return stripslashes(str_replace($bad, '', $filename));
 	}
 
-- 
cgit v1.2.3-24-g4f1b