From 23719ab569c9c8d6b791f65d7861daba3895ddcb Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Thu, 1 Aug 2013 23:15:13 +0800 Subject: Add windows filename rule as an option for upload files --- system/core/Security.php | 51 ++++++++++++++++++++++++++++----------------- system/libraries/Upload.php | 12 +++++++++-- 2 files changed, 42 insertions(+), 21 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..cd1cb1ab4 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -114,6 +114,36 @@ class CI_Security { "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); + /** + * List of bad chars for sanitize filename + * + * @var array + */ + private $_filename_bad_str_rules = array( + 'default' => array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ), + 'windows' => array( + '\\', '/', ':', '*', '?', + '"', '<', '>', '|', + ), + ); + /** * Class constructor * @@ -547,26 +577,9 @@ class CI_Security { * @param bool $relative_path Whether to preserve paths * @return string */ - public function sanitize_filename($str, $relative_path = FALSE) + public function sanitize_filename($str, $relative_path = FALSE, $rule = 'default') { - $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->_filename_bad_str_rules[$rule]; if ( ! $relative_path) { diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 85428044d..62eca6fdb 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -142,6 +142,13 @@ class CI_Upload { */ public $file_ext_tolower = FALSE; + /** + * Filename Rule + * + * @var string + */ + public $filename_rule = 'default'; + /** * Upload path * @@ -315,7 +322,8 @@ class CI_Upload { 'detect_mime' => TRUE, 'xss_clean' => FALSE, 'temp_prefix' => 'temp_file_', - 'client_name' => '' + 'client_name' => '', + 'filename_rule' => 'default', ); foreach ($defaults as $key => $val) @@ -472,7 +480,7 @@ class CI_Upload { // Sanitize the file name for security $CI =& get_instance(); - $this->file_name = $CI->security->sanitize_filename($this->file_name); + $this->file_name = $CI->security->sanitize_filename($this->file_name, FALSE, $this->filename_rule); // Truncate the file name if it's too long if ($this->max_filename > 0) -- cgit v1.2.3-24-g4f1b From 8df3352dff5f734c1b3831fdc131f676a9850d51 Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sat, 3 Aug 2013 22:36:05 +0800 Subject: Revert "Add windows filename rule as an option for upload files" This reverts commit 23719ab569c9c8d6b791f65d7861daba3895ddcb. --- system/core/Security.php | 51 +++++++++++++++++---------------------------- system/libraries/Upload.php | 12 ++--------- 2 files changed, 21 insertions(+), 42 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index cd1cb1ab4..196d61144 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -114,36 +114,6 @@ class CI_Security { "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); - /** - * List of bad chars for sanitize filename - * - * @var array - */ - private $_filename_bad_str_rules = array( - 'default' => array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ), - 'windows' => array( - '\\', '/', ':', '*', '?', - '"', '<', '>', '|', - ), - ); - /** * Class constructor * @@ -577,9 +547,26 @@ class CI_Security { * @param bool $relative_path Whether to preserve paths * @return string */ - public function sanitize_filename($str, $relative_path = FALSE, $rule = 'default') + public function sanitize_filename($str, $relative_path = FALSE) { - $bad = $this->_filename_bad_str_rules[$rule]; + $bad = array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); if ( ! $relative_path) { diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 62eca6fdb..85428044d 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -142,13 +142,6 @@ class CI_Upload { */ public $file_ext_tolower = FALSE; - /** - * Filename Rule - * - * @var string - */ - public $filename_rule = 'default'; - /** * Upload path * @@ -322,8 +315,7 @@ class CI_Upload { 'detect_mime' => TRUE, 'xss_clean' => FALSE, 'temp_prefix' => 'temp_file_', - 'client_name' => '', - 'filename_rule' => 'default', + 'client_name' => '' ); foreach ($defaults as $key => $val) @@ -480,7 +472,7 @@ class CI_Upload { // Sanitize the file name for security $CI =& get_instance(); - $this->file_name = $CI->security->sanitize_filename($this->file_name, FALSE, $this->filename_rule); + $this->file_name = $CI->security->sanitize_filename($this->file_name); // Truncate the file name if it's too long if ($this->max_filename > 0) -- cgit v1.2.3-24-g4f1b From a8d6d3b13a0086c86e3dd69f0376be3a6982bc16 Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sat, 3 Aug 2013 23:17:45 +0800 Subject: Make the bad filename array public in Security library --- system/core/Security.php | 56 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..3d04d5e12 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -37,6 +37,30 @@ defined('BASEPATH') OR exit('No direct script access allowed'); */ class CI_Security { + /** + * List of sanitize filename strings + * + * @var array + */ + public $sanitize_filename_str = array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); + /** * XSS Hash * @@ -540,6 +564,19 @@ class CI_Security { // -------------------------------------------------------------------- + /** + * Set Sanitize Filename Strings + * + * @param array $strings + * @return void + */ + public function set_sanitize_filename_str($strings) + { + $this->sanitize_filename_str = $strings; + } + + // -------------------------------------------------------------------- + /** * Sanitize Filename * @@ -549,24 +586,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->sanitize_filename_str; if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b From 4495cc740c1c0e382cc62d3d174abd17c0b4d84f Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sun, 4 Aug 2013 12:31:52 +0800 Subject: Rename bad chars property to filename_bad_chars, remove the setter and add changelog entry --- system/core/Security.php | 17 ++--------------- user_guide_src/source/changelog.rst | 1 + 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 3d04d5e12..70cf3e013 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -42,7 +42,7 @@ class CI_Security { * * @var array */ - public $sanitize_filename_str = array( + public $filename_bad_chars = array( '../', '', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', @@ -564,19 +564,6 @@ class CI_Security { // -------------------------------------------------------------------- - /** - * Set Sanitize Filename Strings - * - * @param array $strings - * @return void - */ - public function set_sanitize_filename_str($strings) - { - $this->sanitize_filename_str = $strings; - } - - // -------------------------------------------------------------------- - /** * Sanitize Filename * @@ -586,7 +573,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = $this->sanitize_filename_str; + $bad = $this->filename_bad_chars; if ( ! $relative_path) { diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4cef0e683..fd1ce2dc0 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -416,6 +416,7 @@ Release Date: Not Released - Added method ``strip_image_tags()``. - Added ``$config['csrf_regeneration']``, which makes token regeneration optional. - Added ``$config['csrf_exclude_uris']``, which allows you list URIs which will not have the CSRF validation methods run. + - Changed ``sanitize_filename()``, makes filename_bad_chars a public property. - :doc:`URI Routing ` changes include: -- cgit v1.2.3-24-g4f1b