Upload after CodeIgniter 1.7.2 Security Patch

[eluser]patwork[/eluser]
This patch is driving me crazy. What was the point in changing filename override?

Let's suppose, I'm allowing three filetypes:

Code:

$upload_config['allowed_types'] = 'gif|jpg|png';

But, I want to ovverride filename, for example:

Code:

$upload_config['file_name'] = 'my_filename_'.time();

That was ok before patch. User upload PNG - I get "my_filename_xxx.PNG", user upload JPG, I get "my_filename_xxx.JPG", and so on. How it's better now, when I'm forced to check what extension uploaded file has, before I set $upload_config['file_name']?

How can I force new Upload library to add proper extension to my (base) filename?

[eluser]mddd[/eluser]
I briefly looked at the changes in Upload.php and I think the problem is that it is possible to do some hacking of the file extension to make files appear like they are other files. Apache webserver can handle these files and execute them based on their mimetype which could be different from the filename extension.

For instance: a file called document.php.html would LOOK like a html document but could still be executed as a php document if your server is set do allow this!

Now, it is understandable why the extension is no longer automatically added back: because that could pose a risk. You have to check for yourself which extension you want to put back on there. In the case of '.php.html', you would check yourself and probably only want to put back '.html', making sure it is safe.

[eluser]Unknown[/eluser]
This is what I changed:

From

Code:

$config['file_name'] = uniqid();

To

Code:

$ext = pathinfo( $_FILES['fileImage']['name'], PATHINFO_EXTENSION);                    
$config['file_name'] = uniqid() .'.'. $ext;