From a8d6d3b13a0086c86e3dd69f0376be3a6982bc16 Mon Sep 17 00:00:00 2001 From: Hunter Wu Date: Sat, 3 Aug 2013 23:17:45 +0800 Subject: Make the bad filename array public in Security library --- system/core/Security.php | 56 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 196d61144..3d04d5e12 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -37,6 +37,30 @@ defined('BASEPATH') OR exit('No direct script access allowed'); */ class CI_Security { + /** + * List of sanitize filename strings + * + * @var array + */ + public $sanitize_filename_str = array( + '../', '', '<', '>', + "'", '"', '&', '$', '#', + '{', '}', '[', ']', '=', + ';', '?', '%20', '%22', + '%3c', // < + '%253c', // < + '%3e', // > + '%0e', // > + '%28', // ( + '%29', // ) + '%2528', // ( + '%26', // & + '%24', // $ + '%3f', // ? + '%3b', // ; + '%3d' // = + ); + /** * XSS Hash * @@ -540,6 +564,19 @@ class CI_Security { // -------------------------------------------------------------------- + /** + * Set Sanitize Filename Strings + * + * @param array $strings + * @return void + */ + public function set_sanitize_filename_str($strings) + { + $this->sanitize_filename_str = $strings; + } + + // -------------------------------------------------------------------- + /** * Sanitize Filename * @@ -549,24 +586,7 @@ class CI_Security { */ public function sanitize_filename($str, $relative_path = FALSE) { - $bad = array( - '../', '', '<', '>', - "'", '"', '&', '$', '#', - '{', '}', '[', ']', '=', - ';', '?', '%20', '%22', - '%3c', // < - '%253c', // < - '%3e', // > - '%0e', // > - '%28', // ( - '%29', // ) - '%2528', // ( - '%26', // & - '%24', // $ - '%3f', // ? - '%3b', // ; - '%3d' // = - ); + $bad = $this->sanitize_filename_str; if ( ! $relative_path) { -- cgit v1.2.3-24-g4f1b