ID: 49683 Updated by: j...@php.net Reported By: adamiwaniuk at gmail dot com -Status: Open +Status: Bogus Bug Type: Unknown/Other Function PHP Version: 5.2.11 New Comment:
Same problem as already reported in bug #48597 Previous Comments: ------------------------------------------------------------------------ [2009-09-26 21:47:06] adamiwaniuk at gmail dot com Description: ------------ When 'name' from Content-Disposition ends with '[' or '[xxxxx' it is possible to prepeare some fake data of $_FILES structure aray If someone upload multiple files it is possible to set fake size of file, or when someone is using unsafe method upload (without is_uploaded_file()/move_uploaded_file()) to set tmp_name to any file example content: Content-Disposition: form-data; name="images[[tmp_name]"; filename="file.txt" Content-Disposition: form-data; name="images[tmp_name]["; filename="index.php" Reproduce code: --------------- <?php var_dump($_FILES)?> <?php foreach ($_FILES["images"]["tmp_name"] as $key => $name){ copy($_FILES["images"]["tmp_name"][$key],'upload\\a'.rand().'.txt'); } ?> <?php foreach ($_FILES["images"]["tmp_name"] as $key => $name) { if ($_FILES["images"]["size"][$key]>0 && $_FILES["images"]["size"][$key]<1024) move_uploaded_file($_FILES["images"]["tmp_name"][$key],'upload\\'.rand().'.txt'); } ?> Expected result: ---------------- it should skip upload file when 'name' ends with [ or '[xxx' Actual result: -------------- array(1) { ["images"]=> array(5) { ["name"]=> array(1) { ["[tmp_name"]=> string(5) "file.txt" } ["type"]=> array(1) { ["[tmp_name"]=> string(10) "text/plain" } ["tmp_name"]=> array(5) { ["[tmp_name"]=> string(66) "C:\Documents and Settings\Adam\Ustawienia lokalne\Temp\php36E3.tmp" ["[name"]=> string(10) "index.php" ["[type"]=> string(10) "text/plain" ["[error"]=> int(0) ["[size"]=> int(11) } ["error"]=> array(1) { ["[tmp_name"]=> int(0) } ["size"]=> array(1) { ["[tmp_name"]=> int(3) } } } ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=49683&edit=1