From 7e5597782a589e4171ca08abdd9ce1a185542ff4 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@bofh.bg>
Date: Tue, 29 Jan 2013 15:38:33 +0200
Subject: Replace CI_Upload::clean_file_name() usage with
 CI_Security::sanitize_filename()

Also applied @xeptor's fix (a big thanks) to the sanitize_filename() method and added a changelog entry for it - fixes issue #73.
---
 system/core/Security.php    | 10 ++++++++-
 system/libraries/Upload.php | 50 ++-------------------------------------------
 2 files changed, 11 insertions(+), 49 deletions(-)

(limited to 'system')

diff --git a/system/core/Security.php b/system/core/Security.php
index a6cd14a5f..7aae54efc 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -576,7 +576,15 @@ class CI_Security {
 		}
 
 		$str = remove_invisible_characters($str, FALSE);
-		return stripslashes(str_replace($bad, '', $str));
+
+		do
+		{
+			$old = $str;
+			$str = str_replace($bad, '', $str);
+		}
+		while ($old !== $str);
+
+		return stripslashes($str);
 	}
 
 	// ----------------------------------------------------------------
diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index 1f0bd6a6e..814ea68a4 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -463,7 +463,8 @@ class CI_Upload {
 		}
 
 		// Sanitize the file name for security
-		$this->file_name = $this->clean_file_name($this->file_name);
+		$CI =& get_instance();
+		$this->file_name = $CI->security->sanitize_filename($this->file_name);
 
 		// Truncate the file name if it's too long
 		if ($this->max_filename > 0)
@@ -970,53 +971,6 @@ class CI_Upload {
 
 	// --------------------------------------------------------------------
 
-	/**
-	 * Clean the file name for security
-	 *
-	 * @param	string	$filename
-	 * @return	string
-	 */
-	public function clean_file_name($filename)
-	{
-		$bad = array(
-				'<!--', '-->',
-				"'", '"',
-				'<', '>',
-				'&', '$',
-				'=',
-				';',
-				'?',
-				'/',
-				'!',
-				'#',
-				'%20',
-				'%22',
-				'%3c',		// <
-				'%253c',	// <
-				'%3e',		// >
-				'%0e',		// >
-				'%28',		// (
-				'%29',		// )
-				'%2528',	// (
-				'%26',		// &
-				'%24',		// $
-				'%3f',		// ?
-				'%3b',		// ;
-				'%3d'		// =
-			);
-
-		do
-		{
-			$old_filename = $filename;
-			$filename = str_replace($bad, '', $filename);
-		}
-		while ($old_filename !== $filename);
-
-		return stripslashes($filename);
-	}
-
-	// --------------------------------------------------------------------
-
 	/**
 	 * Limit the File Name Length
 	 *
-- 
cgit v1.2.3-24-g4f1b