ID: 29937
Comment by: brad at timelesstech dot com
Reported By: justin at timelesstech dot com
Status: Assigned
Bug Type: *Directory/Filesystem functions
Operating System: FreeBSD 4.8 stable
PHP Version: 4.3.8
Assigned To: derick
New Comment:
Let me clarify a bit... we use a tool from Radinks, and in this tool
there is a "FULL_PATH" option that will pass along the full path and
filename in the $_FILES['..']['name'] variable. By default, it's just
the filename in this ['name'] variable, but Radinks did something
(possibly in headers?) to allow the fullpath to come through. It looks
as though the security "fix" broke this desired behavoiur.
Previous Comments:
------------------------------------------------------------------------
[2004-09-03 18:46:33] justin at timelesstech dot com
It was not documented, but this has been the well-known behavior for
quite some time, and the browsers do send the path information. Any
code written to deal the the 'name' value has always had to deal with
the path information, so changing it now breaks all code from previous
versions. Perhaps the new behaviour default could be to only get the
filename, but an override would allow us to get the path too? Just some
way so that old written systems will still be able to work =)
------------------------------------------------------------------------
[2004-09-03 17:49:08] [EMAIL PROTECTED]
I don't think the RFC actually allows that, nor was this ever
documented. I will check the RFC later.
------------------------------------------------------------------------
[2004-09-03 16:58:31] justin at timelesstech dot com
It is the path of the original uploaded file name. The reason this info
is needed, is when a bunch of files are uploaded via a web file manager
application, it needs to know the path of each file, so when it
re-creates the path/file structure on the server, it is able to put all
the files in the right places, rather than everything going in "one
directory".
------------------------------------------------------------------------
[2004-09-03 16:55:42] [EMAIL PROTECTED]
Which path is this, of the original uploaded file name or the one on
the server (in /tmp...)?
------------------------------------------------------------------------
[2004-09-03 16:24:50] justin at timelesstech dot com
Yes it probably is related to that "fix" BUT this "fix" breaks a ton of
code and changes the behavior. Can the "fix" be done in such a way that
it prevents the security vulnerability, but doesn't break all the
existing code out there that needs the client path of file(s) being
uploaded?
Also before this new fix is fixed, is there any workaround?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/29937
--
Edit this bug report at http://bugs.php.net/?id=29937&edit=1
