ID: 29937 User updated by: justin at timelesstech dot com Reported By: justin at timelesstech dot com Status: Open Bug Type: *Directory/Filesystem functions Operating System: FreeBSD 4.8 stable PHP Version: 4.3.8 New Comment:
Yes it probably is related to that "fix" BUT this "fix" breaks a ton of code and changes the behavior. Can the "fix" be done in such a way that it prevents the security vulnerability, but doesn't break all the existing code out there that needs the client path of file(s) being uploaded? Also before this new fix is fixed, is there any workaround? Previous Comments: ------------------------------------------------------------------------ [2004-09-03 14:56:06] brad at timelesstech dot com It might have something to do with this bug fix: http://bugs.php.net/bug.php?id=28456 ------------------------------------------------------------------------ [2004-09-02 08:40:25] justin at timelesstech dot com Our web host, pair Networks, installed the PHP version to the server. I believe they compiled from source, and I know they are experts at installing and configuring PHP as they manage hundreds of servers. >From a phpinfo() command here are the configure command options they used on Aug 18/04: './configure' '--with-apache=/usr/pair/sw/apache_1.3.29' '--with-config-file-path=/usr/local/etc' '--enable-magic-quotes' '--enable-bcmath' '--without-cdb' '--with-zlib-dir=/usr/local' '--with-gd' '--with-ttf' '--without-msql' '--with-mysql=/usr/local' '--with-iodbc' '--with-pdflib' '--enable-inline-optimization' '--disable-memory-limit' '--with-db' '--without-gdbm' '--with-ndbm' '--without-db2' '--without-dbm' '--with-gettext' '--without-readline' '--with-recode' '--without-openssl' '--with-mcrypt' '--without-db3' '--enable-dba' '--with-curl' '--with-png-dir=/usr/local/lib' '--with-jpeg-dir=/usr/local/lib' '--enable-calendar' '--with-mhash' '--enable-xslt' '--with-xslt-sablot' '--with-expat-dir=/usr/local' '--enable-gd-lzw-gif' '--enable-mstring' ------------------------------------------------------------------------ [2004-09-02 08:20:28] [EMAIL PROTECTED] Did you compile PHP from source or did you use the ports? If you used the ports, can you check what patches were applied to the clean php source? ------------------------------------------------------------------------ [2004-09-01 22:40:40] justin at timelesstech dot com Description: ------------ We have had scripts running for a while now fine on PHP 4.3.4 that assume that the $_FILES['name'] value on file uploads contains the full /path/to/the/filename.txt However after our server admins upgraded to PHP 4.3.8 the $FILES['name'] now only contains the filename, with no path. This makes it impossible for our recursive file uploader script to work, since it NEEDS the pathname of those files to know what directory/subdir on the server to upload the file(s) to! The changelog does not mention this, but does anybody have any ideas? ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=29937&edit=1
