From 7e5597782a589e4171ca08abdd9ce1a185542ff4 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 29 Jan 2013 15:38:33 +0200 Subject: Replace CI_Upload::clean_file_name() usage with CI_Security::sanitize_filename() Also applied @xeptor's fix (a big thanks) to the sanitize_filename() method and added a changelog entry for it - fixes issue #73. --- user_guide_src/source/changelog.rst | 2 ++ 1 file changed, 2 insertions(+) (limited to 'user_guide_src/source') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 982ae22f4..daa1cfc7a 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -215,6 +215,7 @@ Release Date: Not Released - Added **max_filename_increment** config setting. - Added an **index** parameter to the ``data()`` method. - Added the **min_width** and **min_height** options for images. + - Removed method ``clean_file_name()`` and its usage in favor of :doc:`Security Library `'s ``sanitize_filename()``. - :doc:`Cart library ` changes include: - ``insert()`` now auto-increments quantity for an item when inserted twice instead of resetting it, this is the default behaviour of large e-commerce sites. - *Product Name* strictness can be disabled by switching the ``$product_name_safe`` property to FALSE. @@ -478,6 +479,7 @@ Bug fixes for 3.0 - Fixed a bug (#2061) - :doc:`Routing Class ` didn't properly sanitize directory, controller and function triggers with **enable_query_strings** set to TRUE. - Fixed a bug - SQLSRV didn't support ``escape_like_str()`` or escaping an array of values. - Fixed a bug - :doc:`DB result ` method ``list_fields()`` didn't reset its field pointer for the *mysql*, *mysqli* and *mssql* drivers. +- Fixed a bug (#73) - :doc:`Security Library ` method ``sanitize_filename()`` could be tricked by an XSS attack. Version 2.1.3 ============= -- cgit v1.2.3-24-g4f1b