torben Wed Feb 6 20:45:39 2002 EDT
Modified files:
/phpdoc/en/functions filesystem.xml
Log:
Replaced the userland version of is_uploaded_file() for older versions
of PHP, except this time in the is_uploaded_file refentry. There are still
people who have no choice but to run older versions.
Index: phpdoc/en/functions/filesystem.xml
diff -u phpdoc/en/functions/filesystem.xml:1.115
phpdoc/en/functions/filesystem.xml:1.116
--- phpdoc/en/functions/filesystem.xml:1.115 Sat Feb 2 10:35:58 2002
+++ phpdoc/en/functions/filesystem.xml Wed Feb 6 20:45:38 2002
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.115 $ -->
+<!-- $Revision: 1.116 $ -->
<reference id="ref.filesystem">
<title>Filesystem functions</title>
<titleabbrev>Filesystem</titleabbrev>
@@ -1923,15 +1923,10 @@
</refnamediv>
<refsect1>
<title>Description</title>
- <methodsynopsis>
- <type>bool</type><methodname>is_uploaded_file</methodname>
- <methodparam><type>string</type><parameter>filename</parameter></methodparam>
- </methodsynopsis>
-
- <para>
- This function is available only in versions of PHP 3 after PHP
- 3.0.16, and in versions of PHP 4 after 4.0.2.
- </para>
+ <methodsynopsis>
+ <type>bool</type><methodname>is_uploaded_file</methodname>
+ <methodparam><type>string</type><parameter>filename</parameter></methodparam>
+ </methodsynopsis>
<para>
Returns &true; if the file named by <varname>filename</varname> was
@@ -1946,6 +1941,43 @@
that anything done with uploaded files could reveal their
contents to the user, or even to other users on the same
system.
+ </para>
+
+ <para>
+ <function>is_uploaded_file</function> is available only in
+ versions of PHP 3 after PHP 3.0.16, and in versions of PHP 4
+ after 4.0.2. If you are stuck using an earlier version, you can
+ use the following function to help protect yourself:
+ <note>
+ <para>
+ This will <emphasis>not</emphasis> work in versions of PHP 4
+ after 4.0.2. It depends on internal functionality of PHP which
+ changed after that version.
+ </para>
+ </note>
+ <programlisting role="php">
+<![CDATA[
+<?php
+/* Userland test for uploaded file. */
+function is_uploaded_file($filename) {
+ if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
+ $tmp_file = dirname(tempnam('', ''));
+ }
+ $tmp_file .= '/' . basename($filename);
+ /* User might have trailing slash in php.ini... */
+ return (ereg_replace('/+', '/', $tmp_file) == $filename);
+}
+
+/* This is how to use it, since you also don't have
+ * move_uploaded_file() in these older versions: */
+if (is_uploaded_file($HTTP_POST_FILES['userfile'])) {
+ copy($HTTP_POST_FILES['userfile'], "/place/to/put/uploaded/file");
+} else {
+ echo "Possible file upload attack: filename '$HTTP_POST_FILES[userfile]'.";
+}
+?>
+]]>
+ </programlisting>
</para>
<para>
