#30683 [Opn]: Change in behavious of FILES array between 4.3.6 and 4.3.7_3
ID: 30683
User updated by: bugs at bsdfirst dot com
Reported By: bugs at bsdfirst dot com
Status: Open
-Bug Type: Zend Engine 2 problem
+Bug Type: Feature/Change Request
Operating System: FreeBSD
PHP Version: Irrelevant
New Comment:
I have just confirmed that 4.3.9 also behaves in the same manner as
4.3.7_3. It would appear that this was a bug fix to prevent a security
exploit (use paths containing ../). I wonder if there shouldn't be a
way to obtain the contents of a INPUT type=file field in it's
entirety? Particually since you cannot use php://input whilst POSTing
a mulipart mime form. This could either be another entry in the
$_FILES array, for example $_FILES['pic']['orig_path'] or
$_FILES['pic']['name'] could check for '^http:||ftp:'. The former is
probably the most compatible and the least security risk (a user could
not accidentally use it - they would have to make a deliberate choice).
What are the chances of having something like that added into the 4
series? With all of this in mind I have changed the category of this
report to Feature Request. Thanks, Patrick
Previous Comments:
[2004-11-04 06:11:17] bugs at bsdfirst dot com
Description:
Hi,
I have two FreeBSD servers detailed as follows:
lassa:
FreeBSD 4.10-STABLE
php4-4.3.7_3
apache+mod_ssl+mod_deflate-1.3.31+2.8.18+1.3.14.12+1.0.21_4
honk:
FreeBSD 4.9-RELEASE
php4-4.3.6
apache+mod_ssl+mod_deflate-1.3.29+2.8.16+1.0.20_3
I am using a HTML form (enctype=multipart/form-data) to upload image
files to each server.
On the server honk I am using the function isurlorfile to allow the
user to type a URL instead of selecting a file in the INPUT
type=file box.
Selecting a file for upload works correctly in both cases.
C:\Pics\test.png yields the following the in $_FILES array:
honk lassa:
$_FILES['pic']['name'] contains 'test.png'
However entering a URL only works on the server honk. Entering the URL
http://localhost/test.png into the INPUT type=file box on the form
yields the following results in the $_FILES array:
honk:
$_FILES['pic']['name'] contains 'http://localhost/test.png'
lassa:
$_FILES['pic']['name'] contains 'test.png'
Honk is our development server and we have written code relying on this
undocumented feature.
Obviously the behavious exhibited on the server honk is usefull as a
user can select a file or enter a URL to a file in the one input
field.
Which of these is the expected behaviour? Is there an expected
behaviour and what behaviour would I expect from a more current version
of PHP? Could I request the behaviour exibited on the server honk be a
documented feature?
Thanks,
Patrick Brennan
Reproduce code:
---
function _isurlorfile($str) {
if (is_uploaded_file($str['tmp_name']) $str['size']) {
return $str['tmp_name'];
} elseif (ereg('^http|ftp', $str['name'])) {
return $str['name'];
} else {
return 0;
}
}
--
Edit this bug report at http://bugs.php.net/?id=30683edit=1
#30683 [NEW]: Change in behavious of FILES array between 4.3.6 and 4.3.7_3
From: bugs at bsdfirst dot com
Operating system: FreeBSD
PHP version: Irrelevant
PHP Bug Type: Zend Engine 2 problem
Bug description: Change in behavious of FILES array between 4.3.6 and 4.3.7_3
Description:
Hi,
I have two FreeBSD servers detailed as follows:
lassa:
FreeBSD 4.10-STABLE
php4-4.3.7_3
apache+mod_ssl+mod_deflate-1.3.31+2.8.18+1.3.14.12+1.0.21_4
honk:
FreeBSD 4.9-RELEASE
php4-4.3.6
apache+mod_ssl+mod_deflate-1.3.29+2.8.16+1.0.20_3
I am using a HTML form (enctype=multipart/form-data) to upload image
files to each server.
On the server honk I am using the function isurlorfile to allow the user
to type a URL instead of selecting a file in the INPUT type=file box.
Selecting a file for upload works correctly in both cases.
C:\Pics\test.png yields the following the in $_FILES array:
honk lassa:
$_FILES['pic']['name'] contains 'test.png'
However entering a URL only works on the server honk. Entering the URL
http://localhost/test.png into the INPUT type=file box on the form
yields the following results in the $_FILES array:
honk:
$_FILES['pic']['name'] contains 'http://localhost/test.png'
lassa:
$_FILES['pic']['name'] contains 'test.png'
Honk is our development server and we have written code relying on this
undocumented feature.
Obviously the behavious exhibited on the server honk is usefull as a user
can select a file or enter a URL to a file in the one input field.
Which of these is the expected behaviour? Is there an expected behaviour
and what behaviour would I expect from a more current version of PHP?
Could I request the behaviour exibited on the server honk be a documented
feature?
Thanks,
Patrick Brennan
Reproduce code:
---
function _isurlorfile($str) {
if (is_uploaded_file($str['tmp_name']) $str['size']) {
return $str['tmp_name'];
} elseif (ereg('^http|ftp', $str['name'])) {
return $str['name'];
} else {
return 0;
}
}
--
Edit bug report at http://bugs.php.net/?id=30683edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30683r=trysnapshot4
Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30683r=trysnapshot50
Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30683r=trysnapshot51
Fixed in CVS:http://bugs.php.net/fix.php?id=30683r=fixedcvs
Fixed in release:http://bugs.php.net/fix.php?id=30683r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=30683r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=30683r=needscript
Try newer version: http://bugs.php.net/fix.php?id=30683r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=30683r=support
Expected behavior: http://bugs.php.net/fix.php?id=30683r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=30683r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=30683r=submittedtwice
register_globals:http://bugs.php.net/fix.php?id=30683r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30683r=php3
Daylight Savings:http://bugs.php.net/fix.php?id=30683r=dst
IIS Stability: http://bugs.php.net/fix.php?id=30683r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=30683r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=30683r=float
MySQL Configuration Error: http://bugs.php.net/fix.php?id=30683r=mysqlcfg
