[eluser]Colm Ward[/eluser]
Old thread I know, but you can get around this simply by setting
Code:
'allowed_types' => '*'
I didnt want to allow any kind of file to be uploaded. So I solved this by extending the core, which is slightly less hacky than changing the core directly:
Code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class MY_Upload extends CI_Upload {
/**
* Overriding the default 'Prep Filename' to prevent underscores appearing before dots in filenames if remove_spaces is set to false
*
* Prevents possible script execution from Apache's handling of files multiple extensions
* http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext
*
* @param string
* @return string
*/
protected function _prep_filename($filename)
{
if (strpos($filename, '.') === FALSE OR $this->allowed_types == '*')
{
return $filename;
}
$parts = explode('.', $filename);
$ext = array_pop($parts);
$filename = array_shift($parts);
foreach ($parts as $part)
{
if ( ! in_array(strtolower($part), $this->allowed_types) OR $this->mimes_types(strtolower($part)) === FALSE)
{
if($this->remove_spaces) // don't prefix the dots with underscores if remove_spaces is set to false
{
$filename .= '.'.$part.'_';
}
else
{
$filename .= '.'.$part;
}
}
else
{
$filename .= '.'.$part;
}
}
$filename .= '.'.$ext;
return $filename;
}
}
/* End of file MY_Upload.php */
/* Location: ./system/application/libraries/MY_Upload.php */
