From: jj07020 at lanet dot lv Operating system: Windows XP Pro SP3 PHP version: 5.3.1 PHP Bug Type: Apache2 related Bug description: File upload problem
Description: ------------ It is possible to supply a filename which will be incorrectly parsed by PHP. The problem occurs when uploading a file from an HTML form with attributes name="file[" (lacking the closing bracket) and type="file". I'm using Apache 2.2.14 & PHP 5.3.1, but I was able to reproduce the bug with Apache 2.2.10 & PHP 5.3.0. Reproduce code: --------------- HTML form - form.html: <form method="post" enctype="multipart/form-data" action="upload.php"> <input type="file" name="file[" /> <input type="submit" value="OK" /> </form> PHP code - upload.php: <?php var_dump($_FILES); ?> The body of the HTTP request: ------------3PL7QzumhbsotvnG6nZnmR Content-Disposition: form-data; name="file["; filename="code.gif" Content-Type: image/gif <binary gif data> ------------3PL7QzumhbsotvnG6nZnmR-- Expected result: ---------------- The array $_FILES should contain valid keys as specified in http://www.php.net/manual/en/features.file-upload.post-method.php. Hovever, the following assertion fails: if (isset($_FILES["file"])) { assert(is_string($_FILES["name"])); // actual key is "[name" } Since the filename ("file[") lacks the closing bracket, it probably should be interpreted as a single file named "file[": array(1) { ["file["]=> array(5) { ["name"]=> string(8) "code.gif" ["type"]=> string(9) "image/gif" ["tmp_name"]=> string(17) "C:\Temp\php3A.tmp" ["error"]=> int(0) ["size"]=> int(3342) } } Actual result: -------------- The array $_FILES: array(1) { ["file"]=> array(5) { ["[name"]=> string(8) "code.gif" ["[type"]=> string(9) "image/gif" ["[tmp_name"]=> string(17) "C:\Temp\php3A.tmp" ["[error"]=> int(0) ["[size"]=> int(3342) } } -- Edit bug report at http://bugs.php.net/?id=50314&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=50314&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=50314&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=50314&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=50314&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=50314&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=50314&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=50314&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=50314&r=needscript Try newer version: http://bugs.php.net/fix.php?id=50314&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=50314&r=support Expected behavior: http://bugs.php.net/fix.php?id=50314&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=50314&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=50314&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=50314&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50314&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=50314&r=dst IIS Stability: http://bugs.php.net/fix.php?id=50314&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=50314&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=50314&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=50314&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=50314&r=mysqlcfg
