From fd6c2bc7ed0ce474ac08fefb3efe88288368da98 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@bofh.bg>
Date: Tue, 3 Apr 2012 16:21:48 +0300
Subject: Fix issue #1238

---
 system/database/DB_cache.php        | 2 +-
 system/helpers/file_helper.php      | 8 +++++---
 user_guide_src/source/changelog.rst | 2 ++
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/system/database/DB_cache.php b/system/database/DB_cache.php
index 58e6968c0..ff942856b 100644
--- a/system/database/DB_cache.php
+++ b/system/database/DB_cache.php
@@ -177,7 +177,7 @@ class CI_DB_Cache {
 	 */
 	public function delete_all()
 	{
-		delete_files($this->db->cachedir, TRUE);
+		delete_files($this->db->cachedir, TRUE, 0, TRUE);
 	}
 
 }
diff --git a/system/helpers/file_helper.php b/system/helpers/file_helper.php
index 6e8a4ded1..3a373efd3 100644
--- a/system/helpers/file_helper.php
+++ b/system/helpers/file_helper.php
@@ -121,11 +121,13 @@ if ( ! function_exists('write_file'))
  *
  * @param	string	path to file
  * @param	bool	whether to delete any directories found in the path
+ * @param	int
+ * @param	bool	whether to skip deleting .htaccess and index page files
  * @return	bool
  */
 if ( ! function_exists('delete_files'))
 {
-	function delete_files($path, $del_dir = FALSE, $level = 0)
+	function delete_files($path, $del_dir = FALSE, $level = 0, $htdocs = FALSE)
 	{
 		// Trim the trailing slash
 		$path = rtrim($path, DIRECTORY_SEPARATOR);
@@ -141,9 +143,9 @@ if ( ! function_exists('delete_files'))
 			{
 				if (is_dir($path.DIRECTORY_SEPARATOR.$filename) && $filename[0] !== '.')
 				{
-					delete_files($path.DIRECTORY_SEPARATOR.$filename, $del_dir, $level + 1);
+					delete_files($path.DIRECTORY_SEPARATOR.$filename, $del_dir, $level + 1, $htdocs);
 				}
-				else
+				elseif ($htdocs === TRUE && ! preg_match('/^(\.htaccess|index\.(html|htm|php))$/', $filename))
 				{
 					@unlink($path.DIRECTORY_SEPARATOR.$filename);
 				}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 0a690a5eb..9f0d55ad5 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -50,6 +50,7 @@ Release Date: Not Released
    -  form_dropdown() will now also take an array for unity with other form helpers.
    -  set_realpath() can now also handle file paths as opposed to just directories.
    -  do_hash() now uses PHP's native hash() function, supporting more algorithms.
+   -  Added an optional paramater to ``delete_files()`` to enable it to skip deleting files such as .htaccess and index.html.
 
 -  Database
 
@@ -186,6 +187,7 @@ Bug fixes for 3.0
 -  Fixed a bug in the library loader where some PHP versions wouldn't execute the class constructor.
 -  Fixed a bug (#88) - An unexisting property was used for configuration of the Memcache cache driver.
 -  Fixed a bug (#14) - create_database() method in the :doc:`Database Forge Library <database/forge>` didn't utilize the configured database character set.
+-  Fixed a bug (#1238) - delete_all() in the `Database Caching Library <database/caching>` used to delete .htaccess and index.html files, which is a potential security risk.
 
 Version 2.1.1
 =============
-- 
cgit v1.2.3-24-g4f1b