ID: 29937 User updated by: justin at timelesstech dot com Reported By: justin at timelesstech dot com -Status: Feedback +Status: Open Bug Type: *Directory/Filesystem functions Operating System: FreeBSD 4.8 stable PHP Version: 4.3.8 New Comment:
It is the path of the original uploaded file name. The reason this info is needed, is when a bunch of files are uploaded via a web file manager application, it needs to know the path of each file, so when it re-creates the path/file structure on the server, it is able to put all the files in the right places, rather than everything going in "one directory". Previous Comments: ------------------------------------------------------------------------ [2004-09-03 16:55:42] [EMAIL PROTECTED] Which path is this, of the original uploaded file name or the one on the server (in /tmp...)? ------------------------------------------------------------------------ [2004-09-03 16:24:50] justin at timelesstech dot com Yes it probably is related to that "fix" BUT this "fix" breaks a ton of code and changes the behavior. Can the "fix" be done in such a way that it prevents the security vulnerability, but doesn't break all the existing code out there that needs the client path of file(s) being uploaded? Also before this new fix is fixed, is there any workaround? ------------------------------------------------------------------------ [2004-09-03 14:56:06] brad at timelesstech dot com It might have something to do with this bug fix: http://bugs.php.net/bug.php?id=28456 ------------------------------------------------------------------------ [2004-09-02 08:40:25] justin at timelesstech dot com Our web host, pair Networks, installed the PHP version to the server. I believe they compiled from source, and I know they are experts at installing and configuring PHP as they manage hundreds of servers. >From a phpinfo() command here are the configure command options they used on Aug 18/04: './configure' '--with-apache=/usr/pair/sw/apache_1.3.29' '--with-config-file-path=/usr/local/etc' '--enable-magic-quotes' '--enable-bcmath' '--without-cdb' '--with-zlib-dir=/usr/local' '--with-gd' '--with-ttf' '--without-msql' '--with-mysql=/usr/local' '--with-iodbc' '--with-pdflib' '--enable-inline-optimization' '--disable-memory-limit' '--with-db' '--without-gdbm' '--with-ndbm' '--without-db2' '--without-dbm' '--with-gettext' '--without-readline' '--with-recode' '--without-openssl' '--with-mcrypt' '--without-db3' '--enable-dba' '--with-curl' '--with-png-dir=/usr/local/lib' '--with-jpeg-dir=/usr/local/lib' '--enable-calendar' '--with-mhash' '--enable-xslt' '--with-xslt-sablot' '--with-expat-dir=/usr/local' '--enable-gd-lzw-gif' '--enable-mstring' ------------------------------------------------------------------------ [2004-09-02 08:20:28] [EMAIL PROTECTED] Did you compile PHP from source or did you use the ports? If you used the ports, can you check what patches were applied to the clean php source? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/29937 -- Edit this bug report at http://bugs.php.net/?id=29937&edit=1