From 6ef8b69b80093bf706d29df28d108f77acbf9dc0 Mon Sep 17 00:00:00 2001
From: Derek Jones <derek.jones@ellislab.com>
Date: Mon, 17 Mar 2008 19:09:12 +0000
Subject: added filename prepping in the Upload library to prevent files with
 multiple extensions to potentially be parsed as a script by Apache

---
 system/libraries/Upload.php | 42 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

(limited to 'system/libraries/Upload.php')

diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 2a3f53d4b..760d93999 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -185,7 +185,7 @@ class CI_Upload {
 
 		// Set the uploaded data as class variables
 		$this->file_temp = $_FILES[$field]['tmp_name'];		
-		$this->file_name = $_FILES[$field]['name'];
+		$this->file_name = $this->_prep_filename($_FILES[$field]['name']);
 		$this->file_size = $_FILES[$field]['size'];		
 		$this->file_type = preg_replace("/^(.+?);.*$/", "\\1", $_FILES[$field]['type']);
 		$this->file_type = strtolower($this->file_type);
@@ -833,6 +833,46 @@ class CI_Upload {
 		return ( ! isset($this->mimes[$mime])) ? FALSE : $this->mimes[$mime];
 	}
 
+	/**
+	 * Prep Filename
+	 *
+	 * Prevents possible script execution from Apache's handling of files multiple extensions
+     * http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext
+	 *
+	 * @access	private
+	 * @param	string
+	 * @return	string
+	 */
+	function _prep_filename($filename)
+	{
+		if (strpos($filename, '.') === FALSE)
+		{
+			return $filename;
+		}
+		
+		$parts		= explode('.', $filename);
+		$ext		= array_pop($parts);
+		$filename	= array_shift($parts);
+				
+		foreach ($parts as $part)
+		{
+			if ($this->mimes_types(strtolower($part)) === FALSE)
+			{
+				$filename .= '.'.$part.'_';
+			}
+			else
+			{
+				$filename .= '.'.$part;
+			}
+		}
+		
+		$filename .= '.'.$ext;
+		
+		return $filename;
+	}
+
+	// --------------------------------------------------------------------
+
 }
 // END Upload Class
 ?>
\ No newline at end of file
-- 
cgit v1.2.3-24-g4f1b