Skip to content

Commit 3989f1a

Browse files
narfbgnarfbg
committed
Backport fix for issue bcit-ci#73 and add missing changelog entries
1 parent dc48b00 commit 3989f1a

File tree

3 files changed

+38
-68
lines changed

3 files changed

+38
-68
lines changed

system/core/Security.php

Lines changed: 25 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -572,37 +572,22 @@ public function entity_decode($str, $charset='UTF-8')
572572
public function sanitize_filename($str, $relative_path = FALSE)
573573
{
574574
$bad = array(
575-
"../",
576-
"<!--",
577-
"-->",
578-
"<",
579-
">",
580-
"'",
581-
'"',
582-
'&',
583-
'$',
584-
'#',
585-
'{',
586-
'}',
587-
'[',
588-
']',
589-
'=',
590-
';',
591-
'?',
592-
"%20",
593-
"%22",
594-
"%3c", // <
595-
"%253c", // <
596-
"%3e", // >
597-
"%0e", // >
598-
"%28", // (
599-
"%29", // )
600-
"%2528", // (
601-
"%26", // &
602-
"%24", // $
603-
"%3f", // ?
604-
"%3b", // ;
605-
"%3d" // =
575+
'../', '<!--', '-->', '<', '>',
576+
"'", '"', '&', '$', '#',
577+
'{', '}', '[', ']', '=',
578+
';', '?', '%20', '%22',
579+
'%3c', // <
580+
'%253c', // <
581+
'%3e', // >
582+
'%0e', // >
583+
'%28', // (
584+
'%29', // )
585+
'%2528', // (
586+
'%26', // &
587+
'%24', // $
588+
'%3f', // ?
589+
'%3b', // ;
590+
'%3d' // =
606591
);
607592

608593
if ( ! $relative_path)
@@ -612,7 +597,15 @@ public function sanitize_filename($str, $relative_path = FALSE)
612597
}
613598

614599
$str = remove_invisible_characters($str, FALSE);
615-
return stripslashes(str_replace($bad, '', $str));
600+
601+
do
602+
{
603+
$old = $str;
604+
$str = str_replace($bad, '', $str);
605+
}
606+
while ($old !== $str);
607+
608+
return stripslashes($str);
616609
}
617610

618611
// ----------------------------------------------------------------

system/libraries/Upload.php

Lines changed: 6 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -257,7 +257,8 @@ public function do_upload($field = 'userfile')
257257
}
258258

259259
// Sanitize the file name for security
260-
$this->file_name = $this->clean_file_name($this->file_name);
260+
$CI =& get_instance();
261+
$this->file_name = $CI->security->sanitize_filename($this->file_name);
261262

262263
// Truncate the file name if it's too long
263264
if ($this->max_filename > 0)
@@ -746,43 +747,14 @@ public function get_extension($filename)
746747
/**
747748
* Clean the file name for security
748749
*
749-
* @param string
750+
* @deprecated 2.2.1 Alias for CI_Security::sanitize_filename()
751+
* @param string $filename
750752
* @return string
751753
*/
752754
public function clean_file_name($filename)
753755
{
754-
$bad = array(
755-
"<!--",
756-
"-->",
757-
"'",
758-
"<",
759-
">",
760-
'"',
761-
'&',
762-
'$',
763-
'=',
764-
';',
765-
'?',
766-
'/',
767-
"%20",
768-
"%22",
769-
"%3c", // <
770-
"%253c", // <
771-
"%3e", // >
772-
"%0e", // >
773-
"%28", // (
774-
"%29", // )
775-
"%2528", // (
776-
"%26", // &
777-
"%24", // $
778-
"%3f", // ?
779-
"%3b", // ;
780-
"%3d" // =
781-
);
782-
783-
$filename = str_replace($bad, '', $filename);
784-
785-
return stripslashes($filename);
756+
$CI =& get_instance();
757+
return $CI->security->sanitize_filename($filename);
786758
}
787759

788760
// --------------------------------------------------------------------

user_guide/changelog.html

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -72,10 +72,15 @@ <h2>Version 2.2.1</h2>
7272
<h3>Bug fixes:</h3>
7373
<ul>
7474
<li>Fixed a bug (#3094) - <samp>CI_Input::_clean_input_data()</samp> breaks encrypted session cookies.</li>
75-
<li>Fixed a bug (#2508) - <a href="libraries/config.html">Config Library</a> didn't properly detect if the current request is via HTTPS.</li>
76-
<li>Fixed a bug (#3314) - SQLSRV <a href="database/index.html">Database driver</a>'s method <samp>count_all()</samp> didn't escape the supplied table name.</li>
75+
<li>Fixed a bug (#2268) - <samp>CI_Security::xss_clean()</samp> didn't properly match JavaScript events.</li>
7776
<li>Fixed a bug (#3309) - <samp>CI_Security::xss_clean()</samp> used an overly-invasive pattern to strip JS event handlers.</li>
7877
<li>Fixed a bug (#2771) - <samp>CI_Security::xss_clean()</samp> didn't take into account HTML5 entities.</li>
78+
<li>Fixed a bug (#73) - <samp>CI_Security::sanitize_filename()</samp> could be tricked by an XSS attack.</li>
79+
<li>Fixed a bug (#2681) - <samp>CI_Security::entity_decode()</samp> used the PREG_REPLACE_EVAL flag, which is deprecated since PHP 5.5.</li>
80+
<li>Fixed a bug (#3302) - Internal function <samp>get_config()</samp> triggered an E_NOTICE message on PHP 5.6.</li>
81+
<li>Fixed a bug (#2508) - <a href="libraries/config.html">Config Library</a> didn't properly detect if the current request is via HTTPS.</li>
82+
<li>Fixed a bug (#3314) - SQLSRV <a href="database/index.html">Database driver</a>'s method <samp>count_all()</samp> didn't escape the supplied table name.</li>
83+
<li>Fixed a bug (#3404) - MySQLi <a href="database/index.html">Database driver</a>'s method <samp>escape_str()</samp> had a wrong fallback to <samp>mysql_escape_string()</samp> when there was no active connection.</li>
7984
</ul>
8085

8186
<h2>Version 2.2.0</h2>

0 commit comments

Comments
 (0)