CPT John W. Holmes wrote:
I don't think so. Test this, but I think you can just type /etc/passwd into
the file name box (instead of using the "browse" button) and have that value
submitted in the form. May be dependent upon the browser on how it's
handled, though.
You would send your own /etc/passwd to the server.
Either way, I can still construct a POST to your site using cURL or
something to "simulate" sending you a file with a name of a file on your
server.
I checked it. I tried phpinfo.php?_FILES[file][tmp_name]=/etc/passwd and
$_FILES superglobal was not set. My guess is it is the same for post and
cookies. But who knows if this will be the same in PHP7 ;)
So, validate that the file is actually an uploaded file and not a path to
something else. That's why the functions exist.
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
