diff options
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/bootstrap.inc | 2 | ||||
| -rw-r--r-- | includes/file.inc | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 9bd37fd17..dcab7df07 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.18-dev'); +define('VERSION', '7.19-dev'); /** * Core API compatibility. diff --git a/includes/file.inc b/includes/file.inc index 1e256c634..278be3ddc 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -1113,6 +1113,9 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { // Allow potentially insecure uploads for very savvy users and admin if (!variable_get('allow_insecure_uploads', 0)) { + // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php + $filename = str_replace(chr(0), '', $filename); + $whitelist = array_unique(explode(' ', trim($extensions))); // Split the filename up by periods. The first part becomes the basename |