From: adamiwaniuk at gmail dot com Operating system: PHP version: 5.2.11 PHP Bug Type: Unknown/Other Function Bug description: $_FILES overwrite
Description: ------------ When 'name' from Content-Disposition ends with '[' or '[xxxxx' it is possible to prepeare some fake data of $_FILES structure aray If someone upload multiple files it is possible to set fake size of file, or when someone is using unsafe method upload (without is_uploaded_file()/move_uploaded_file()) to set tmp_name to any file example content: Content-Disposition: form-data; name="images[[tmp_name]"; filename="file.txt" Content-Disposition: form-data; name="images[tmp_name]["; filename="index.php" Reproduce code: --------------- <?php var_dump($_FILES)?> <?php foreach ($_FILES["images"]["tmp_name"] as $key => $name){ copy($_FILES["images"]["tmp_name"][$key],'upload\\a'.rand().'.txt'); } ?> <?php foreach ($_FILES["images"]["tmp_name"] as $key => $name) { if ($_FILES["images"]["size"][$key]>0 && $_FILES["images"]["size"][$key]<1024) move_uploaded_file($_FILES["images"]["tmp_name"][$key],'upload\\'.rand().'.txt'); } ?> Expected result: ---------------- it should skip upload file when 'name' ends with [ or '[xxx' Actual result: -------------- array(1) { ["images"]=> array(5) { ["name"]=> array(1) { ["[tmp_name"]=> string(5) "file.txt" } ["type"]=> array(1) { ["[tmp_name"]=> string(10) "text/plain" } ["tmp_name"]=> array(5) { ["[tmp_name"]=> string(66) "C:\Documents and Settings\Adam\Ustawienia lokalne\Temp\php36E3.tmp" ["[name"]=> string(10) "index.php" ["[type"]=> string(10) "text/plain" ["[error"]=> int(0) ["[size"]=> int(11) } ["error"]=> array(1) { ["[tmp_name"]=> int(0) } ["size"]=> array(1) { ["[tmp_name"]=> int(3) } } } -- Edit bug report at http://bugs.php.net/?id=49683&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=49683&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=49683&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=49683&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=49683&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=49683&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=49683&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=49683&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=49683&r=needscript Try newer version: http://bugs.php.net/fix.php?id=49683&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=49683&r=support Expected behavior: http://bugs.php.net/fix.php?id=49683&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=49683&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=49683&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=49683&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49683&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=49683&r=dst IIS Stability: http://bugs.php.net/fix.php?id=49683&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=49683&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=49683&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=49683&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=49683&r=mysqlcfg