From 009c8f09fbe767b01453f32b28f8a8a8dd4ef7c5 Mon Sep 17 00:00:00 2001
From: gommarah <gommarah@gmail.com>
Date: Mon, 28 Jan 2013 13:45:50 +0200
Subject: Upload library, clean_file_name function: Fix xss bug.

For example: If you clear this string "%%3f3f" according to the $bad array will fail. The result will be "%3f"
Because str_replace() replaces left to right.

Signed-off-by: xeptor <servetozkan@live.com>
---
 system/libraries/Upload.php | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'system')

diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 96bb17edc..86c93411e 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -1005,6 +1005,13 @@ class CI_Upload {
 				'%3d'		// =
 			);
 
+		do
+		{
+			$old_filename = $filename;
+			$filename = str_replace($bad, '', $filename);
+		}
+		while ($old_filename !== $filename);
+
 		return stripslashes(str_replace($bad, '', $filename));
 	}
 
-- 
cgit v1.2.3-24-g4f1b


From 9be4cd74db158d805e0bc04c48c52a6453337c1d Mon Sep 17 00:00:00 2001
From: gommarah <gommarah@gmail.com>
Date: Mon, 28 Jan 2013 13:58:35 +0200
Subject: Remove str_replace in return

---
 system/libraries/Upload.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system')

diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 86c93411e..1f0bd6a6e 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -1012,7 +1012,7 @@ class CI_Upload {
 		}
 		while ($old_filename !== $filename);
 
-		return stripslashes(str_replace($bad, '', $filename));
+		return stripslashes($filename);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b