ID: 38245 Updated by: [EMAIL PROTECTED] Reported By: david at orangegateos dot com -Status: Open +Status: Assigned Bug Type: *General Issues Operating System: Windows 2003 and IIS6.0 PHP Version: 5CVS-2006-07-31 (snap) -Assigned To: +Assigned To: iliaa New Comment:
Ilia, this can't be intentional.. Previous Comments: ------------------------------------------------------------------------ [2007-06-21 22:28:31] [EMAIL PROTECTED] Uhm, I think the filename should only escaped after applying basename(). I didn't look to the sources to check if that is possible, though. ------------------------------------------------------------------------ [2006-08-04 16:07:48] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Actually upon further review it seems that this behavior is intended. The filename is supposed to contain just the filename, however on Win32 backslash (\) is considered to be a directory separator, at it foo\'bar.txt would actually be treated as directory foo containing file 'bar.txt. ------------------------------------------------------------------------ [2006-07-31 21:51:17] david at orangegateos dot com I did some rather extensive testing today with many different versions of PHP. I used Windows versions of PHP for my testing. Utilized versions of PHP 5 were from 5.0.0 to 5.1.4 and versions of PHP 4 from 4.1.0 to 4.4.2. The result I was looking for was a full, escaped filename to be output on the page (e.g. David\'s Image.jpg). Versions that gave the *desired* results were: 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 5.0.0, 5.0.1, and 5.0.2. Versions 4.3.10+ and 5.0.3+ all gave incorrect results. It is noted in the ChangeLog that this bug was fixed in PHP versions 4.3.11 and 5.0.4, but these versions still produce incorrect results. In the "Handling File Uploads" documentation notes section, some users report that there are some problems with this feature. The first occurrence of this is at http://us2.php.net/manual/en/features.file-upload.php#60024, and another appears at http://us2.php.net/manual/en/features.file-upload.php#64087. The documentation states that $_FILES['userfile']['name'] is "the original name of the file on the client machine". Are Windows versions of PHP supposed to be chopping off the filename if magic_quotes_gpc is on, or is it supposed to return the full, escaped filename? ------------------------------------------------------------------------ [2006-07-28 21:42:14] david at orangegateos dot com I have just tried the linked version for Windows, and I continue to receive the same problem. I used the included php.ini-dist file, unmodified from the zip file. However, I do receive the full, escaped filename with 5.0.2, similiar to what you say you receive with the linked 5.2. This is on a Windows Server 2003 box with IIS6.0. ------------------------------------------------------------------------ [2006-07-28 21:05:46] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.2-win32-latest.zip I've tried it on latest version of PHP 5.2 from CVS and it works fine, the full, escaped file name is returned. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/38245 -- Edit this bug report at http://bugs.php.net/?id=38245&edit=1