A fix has been implemented for a security flaw in CodeIgniter 1.7.2. You may obtain the fix either by downloading a fresh copy of CodeIgniter, or downloading this standalone patch. All applications using the File Upload class should install the patch to ensure that their application is not subject to a vulnerability.
While fixing this bug, we took the opportunity to make an improvement to the Upload class’s ability to allow a file name override. Previously, you needed to do a little dance in your controller to remove the extension from the file name if you were starting from user input; neither could you override the file extension. Now when using the “file_name” config override, you will supply the full file name, including the extension, truly overriding the file name provided by the client user agent.
After applying the patch, you will need to adjust your code accordingly if you are using the ‘file_name’ override in the Upload class. While we are not in the habit of making code changes within a version that has the potential to break compatibility, this change was necessary as part of the security fix.
If you are using CodeIgniter from the Mercurial repository at BitBucket, please make sure you pull the latest files. Version 1.7.2 has been branched and retagged to include this fix.
We’d like to thank CodeIgniter user alexaholic for bringing this to our attention. Security is always a top priority for our products, and we make ourselves available to be directly contacted for any security concerns.