#50314 [Fbk-Opn]: File upload problem
ID: 50314 User updated by: jj07020 at lanet dot lv Reported By: jj07020 at lanet dot lv -Status: Feedback +Status: Open Bug Type: Apache2 related Operating System: Windows XP Pro SP3 PHP Version: 5.3.1 New Comment: I tried it with php 5.2 (Snapshot Fri, 27 Nov 2009 11:41:38 +, Version: 5.2.12RC3-dev) and it produces the same result. Previous Comments: [2009-11-27 14:27:18] j...@php.net Please try using this snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2009-11-27 14:20:01] jj07020 at lanet dot lv Description: It is possible to supply a filename which will be incorrectly parsed by PHP. The problem occurs when uploading a file from an HTML form with attributes name=file[ (lacking the closing bracket) and type=file. I'm using Apache 2.2.14 PHP 5.3.1, but I was able to reproduce the bug with Apache 2.2.10 PHP 5.3.0. Reproduce code: --- HTML form - form.html: form method=post enctype=multipart/form-data action=upload.php input type=file name=file[ / input type=submit value=OK / /form PHP code - upload.php: ?php var_dump($_FILES); ? The body of the HTTP request: 3PL7QzumhbsotvnG6nZnmR Content-Disposition: form-data; name=file[; filename=code.gif Content-Type: image/gif binary gif data 3PL7QzumhbsotvnG6nZnmR-- Expected result: The array $_FILES should contain valid keys as specified in http://www.php.net/manual/en/features.file-upload.post-method.php. Hovever, the following assertion fails: if (isset($_FILES[file])) { assert(is_string($_FILES[name])); // actual key is [name } Since the filename (file[) lacks the closing bracket, it probably should be interpreted as a single file named file[: array(1) { [file[]= array(5) { [name]= string(8) code.gif [type]= string(9) image/gif [tmp_name]= string(17) C:\Temp\php3A.tmp [error]= int(0) [size]= int(3342) } } Actual result: -- The array $_FILES: array(1) { [file]= array(5) { [[name]= string(8) code.gif [[type]= string(9) image/gif [[tmp_name]= string(17) C:\Temp\php3A.tmp [[error]= int(0) [[size]= int(3342) } } -- Edit this bug report at http://bugs.php.net/?id=50314edit=1
#50314 [NEW]: File upload problem
From: jj07020 at lanet dot lv Operating system: Windows XP Pro SP3 PHP version: 5.3.1 PHP Bug Type: Apache2 related Bug description: File upload problem Description: It is possible to supply a filename which will be incorrectly parsed by PHP. The problem occurs when uploading a file from an HTML form with attributes name=file[ (lacking the closing bracket) and type=file. I'm using Apache 2.2.14 PHP 5.3.1, but I was able to reproduce the bug with Apache 2.2.10 PHP 5.3.0. Reproduce code: --- HTML form - form.html: form method=post enctype=multipart/form-data action=upload.php input type=file name=file[ / input type=submit value=OK / /form PHP code - upload.php: ?php var_dump($_FILES); ? The body of the HTTP request: 3PL7QzumhbsotvnG6nZnmR Content-Disposition: form-data; name=file[; filename=code.gif Content-Type: image/gif binary gif data 3PL7QzumhbsotvnG6nZnmR-- Expected result: The array $_FILES should contain valid keys as specified in http://www.php.net/manual/en/features.file-upload.post-method.php. Hovever, the following assertion fails: if (isset($_FILES[file])) { assert(is_string($_FILES[name])); // actual key is [name } Since the filename (file[) lacks the closing bracket, it probably should be interpreted as a single file named file[: array(1) { [file[]= array(5) { [name]= string(8) code.gif [type]= string(9) image/gif [tmp_name]= string(17) C:\Temp\php3A.tmp [error]= int(0) [size]= int(3342) } } Actual result: -- The array $_FILES: array(1) { [file]= array(5) { [[name]= string(8) code.gif [[type]= string(9) image/gif [[tmp_name]= string(17) C:\Temp\php3A.tmp [[error]= int(0) [[size]= int(3342) } } -- Edit bug report at http://bugs.php.net/?id=50314edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=50314r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=50314r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=50314r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=50314r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=50314r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=50314r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=50314r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=50314r=needscript Try newer version: http://bugs.php.net/fix.php?id=50314r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=50314r=support Expected behavior: http://bugs.php.net/fix.php?id=50314r=notwrong Not enough info: http://bugs.php.net/fix.php?id=50314r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=50314r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=50314r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50314r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=50314r=dst IIS Stability: http://bugs.php.net/fix.php?id=50314r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=50314r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=50314r=float No Zend Extensions: http://bugs.php.net/fix.php?id=50314r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=50314r=mysqlcfg