ID: 38245 User updated by: david at orangegateos dot com Reported By: david at orangegateos dot com Status: Open Bug Type: Scripting Engine problem Operating System: Windows 2003 and IIS6.0 -PHP Version: 5CVS-2006-07-28 (snap) +PHP Version: 5CVS-2006-07-31 (snap) New Comment:
I did some rather extensive testing today with many different versions of PHP. I used Windows versions of PHP for my testing. Utilized versions of PHP 5 were from 5.0.0 to 5.1.4 and versions of PHP 4 from 4.1.0 to 4.4.2. The result I was looking for was a full, escaped filename to be output on the page (e.g. David\'s Image.jpg). Versions that gave the *desired* results were: 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 5.0.0, 5.0.1, and 5.0.2. Versions 4.3.10+ and 5.0.3+ all gave incorrect results. It is noted in the ChangeLog that this bug was fixed in PHP versions 4.3.11 and 5.0.4, but these versions still produce incorrect results. In the "Handling File Uploads" documentation notes section, some users report that there are some problems with this feature. The first occurrence of this is at http://us2.php.net/manual/en/features.file-upload.php#60024, and another appears at http://us2.php.net/manual/en/features.file-upload.php#64087. The documentation states that $_FILES['userfile']['name'] is "the original name of the file on the client machine". Are Windows versions of PHP supposed to be chopping off the filename if magic_quotes_gpc is on, or is it supposed to return the full, escaped filename? Previous Comments: ------------------------------------------------------------------------ [2006-07-28 21:42:14] david at orangegateos dot com I have just tried the linked version for Windows, and I continue to receive the same problem. I used the included php.ini-dist file, unmodified from the zip file. However, I do receive the full, escaped filename with 5.0.2, similiar to what you say you receive with the linked 5.2. This is on a Windows Server 2003 box with IIS6.0. ------------------------------------------------------------------------ [2006-07-28 21:05:46] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.2-win32-latest.zip I've tried it on latest version of PHP 5.2 from CVS and it works fine, the full, escaped file name is returned. ------------------------------------------------------------------------ [2006-07-28 20:39:45] david at orangegateos dot com Description: ------------ This problem seems to be related to an older occurrence of the bug found at http://bugs.php.net/bug.php?id=31398. The full filename is not passed to the $_FILES[] array when submitting a file with an apostrophe in the name. For example: David's Image.jpg When uploading this file, everything before and including the apostrophe is removed so that the following will only show: s Image.jpg. The problem occurs when I am using $_FILES['userfile']['name'] to retrieve the original filename. I tried todays CVS, upgrading from 5.1.4. Also, I have tried PHP 4.4.2 on Windows, and the problem occurs there as well, but not on a Linux system. As was suggested in the previous bug report, I tried 5.0.2 and this bug is not reproducible. Reproduce code: --------------- <?php echo '<h1>' . $_FILES['userfile']['name'] . '</h1>'; ?> <form name="fileUpload" enctype="multipart/form-data" method="post" action="index.php"> <input type="hidden" name="MAX_FILE_SIZE" value="2000000" /> <input type="file" name="userfile" value="" /><br /> <br /> <input type="submit" name="submit" value="Upload File" /> </form> Expected result: ---------------- The full name of the file, including the apostrophe: David's Image.jpg. Actual result: -------------- The first part of the filename is removed, including the apostrophe. Displays: s Image.jpg. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38245&edit=1
