ID: 29937 Comment by: brad at timelesstech dot com Reported By: justin at timelesstech dot com Status: Assigned Bug Type: *Directory/Filesystem functions Operating System: FreeBSD 4.8 stable PHP Version: 4.3.8 Assigned To: derick New Comment:
Let me clarify a bit... we use a tool from Radinks, and in this tool there is a "FULL_PATH" option that will pass along the full path and filename in the $_FILES['..']['name'] variable. By default, it's just the filename in this ['name'] variable, but Radinks did something (possibly in headers?) to allow the fullpath to come through. It looks as though the security "fix" broke this desired behavoiur. Previous Comments: ------------------------------------------------------------------------ [2004-09-03 18:46:33] justin at timelesstech dot com It was not documented, but this has been the well-known behavior for quite some time, and the browsers do send the path information. Any code written to deal the the 'name' value has always had to deal with the path information, so changing it now breaks all code from previous versions. Perhaps the new behaviour default could be to only get the filename, but an override would allow us to get the path too? Just some way so that old written systems will still be able to work =) ------------------------------------------------------------------------ [2004-09-03 17:49:08] [EMAIL PROTECTED] I don't think the RFC actually allows that, nor was this ever documented. I will check the RFC later. ------------------------------------------------------------------------ [2004-09-03 16:58:31] justin at timelesstech dot com It is the path of the original uploaded file name. The reason this info is needed, is when a bunch of files are uploaded via a web file manager application, it needs to know the path of each file, so when it re-creates the path/file structure on the server, it is able to put all the files in the right places, rather than everything going in "one directory". ------------------------------------------------------------------------ [2004-09-03 16:55:42] [EMAIL PROTECTED] Which path is this, of the original uploaded file name or the one on the server (in /tmp...)? ------------------------------------------------------------------------ [2004-09-03 16:24:50] justin at timelesstech dot com Yes it probably is related to that "fix" BUT this "fix" breaks a ton of code and changes the behavior. Can the "fix" be done in such a way that it prevents the security vulnerability, but doesn't break all the existing code out there that needs the client path of file(s) being uploaded? Also before this new fix is fixed, is there any workaround? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/29937 -- Edit this bug report at http://bugs.php.net/?id=29937&edit=1