From: adamiwaniuk at gmail dot com
Operating system:
PHP version: 5.2.11
PHP Bug Type: Unknown/Other Function
Bug description: $_FILES overwrite
Description:
------------
When 'name' from Content-Disposition ends with '[' or '[xxxxx' it is
possible to prepeare some fake data of $_FILES structure aray
If someone upload multiple files it is possible to set fake size of file,
or when someone is using unsafe method upload (without
is_uploaded_file()/move_uploaded_file()) to set tmp_name to any file
example content:
Content-Disposition: form-data; name="images[[tmp_name]";
filename="file.txt"
Content-Disposition: form-data; name="images[tmp_name][";
filename="index.php"
Reproduce code:
---------------
<?php var_dump($_FILES)?>
<?php
foreach ($_FILES["images"]["tmp_name"] as $key => $name){
copy($_FILES["images"]["tmp_name"][$key],'upload\\a'.rand().'.txt');
}
?>
<?php
foreach ($_FILES["images"]["tmp_name"] as $key => $name) {
if ($_FILES["images"]["size"][$key]>0 &&
$_FILES["images"]["size"][$key]<1024)
move_uploaded_file($_FILES["images"]["tmp_name"][$key],'upload\\'.rand().'.txt');
}
?>
Expected result:
----------------
it should skip upload file when 'name' ends with [ or '[xxx'
Actual result:
--------------
array(1) {
["images"]=>
array(5) {
["name"]=>
array(1) {
["[tmp_name"]=>
string(5) "file.txt"
}
["type"]=>
array(1) {
["[tmp_name"]=>
string(10) "text/plain"
}
["tmp_name"]=>
array(5) {
["[tmp_name"]=>
string(66) "C:\Documents and Settings\Adam\Ustawienia
lokalne\Temp\php36E3.tmp"
["[name"]=>
string(10) "index.php"
["[type"]=>
string(10) "text/plain"
["[error"]=>
int(0)
["[size"]=>
int(11)
}
["error"]=>
array(1) {
["[tmp_name"]=>
int(0)
}
["size"]=>
array(1) {
["[tmp_name"]=>
int(3)
}
}
}
--
Edit bug report at http://bugs.php.net/?id=49683&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=49683&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=49683&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=49683&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=49683&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=49683&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=49683&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=49683&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=49683&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=49683&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=49683&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=49683&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=49683&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=49683&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=49683&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49683&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=49683&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=49683&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=49683&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=49683&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=49683&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=49683&r=mysqlcfg
