ID:               29937
 User updated by:  justin at timelesstech dot com
 Reported By:      justin at timelesstech dot com
 Status:           Open
 Bug Type:         *Directory/Filesystem functions
 Operating System: FreeBSD 4.8 stable
 PHP Version:      4.3.8
 New Comment:

Yes it probably is related to that "fix" BUT this "fix" breaks a ton of
code and changes the behavior. Can the "fix" be done in such a way that
it prevents the security vulnerability, but doesn't break all the
existing code out there that needs the client path of file(s) being
uploaded?

Also before this new fix is fixed, is there any workaround?


Previous Comments:
------------------------------------------------------------------------

[2004-09-03 14:56:06] brad at timelesstech dot com

It might have something to do with this bug fix:
http://bugs.php.net/bug.php?id=28456

------------------------------------------------------------------------

[2004-09-02 08:40:25] justin at timelesstech dot com

Our web host, pair Networks, installed the PHP version to the server. I
believe they compiled from source, and I know they are experts at
installing and configuring PHP as they manage hundreds of servers.

>From a phpinfo() command here are the configure command options they
used on Aug 18/04:

'./configure' '--with-apache=/usr/pair/sw/apache_1.3.29'
'--with-config-file-path=/usr/local/etc' '--enable-magic-quotes'
'--enable-bcmath' '--without-cdb' '--with-zlib-dir=/usr/local'
'--with-gd' '--with-ttf' '--without-msql' '--with-mysql=/usr/local'
'--with-iodbc' '--with-pdflib' '--enable-inline-optimization'
'--disable-memory-limit' '--with-db' '--without-gdbm' '--with-ndbm'
'--without-db2' '--without-dbm' '--with-gettext' '--without-readline'
'--with-recode' '--without-openssl' '--with-mcrypt' '--without-db3'
'--enable-dba' '--with-curl' '--with-png-dir=/usr/local/lib'
'--with-jpeg-dir=/usr/local/lib' '--enable-calendar' '--with-mhash'
'--enable-xslt' '--with-xslt-sablot' '--with-expat-dir=/usr/local'
'--enable-gd-lzw-gif' '--enable-mstring'

------------------------------------------------------------------------

[2004-09-02 08:20:28] [EMAIL PROTECTED]

Did you compile PHP from source or did you use the ports? If you used
the ports, can you check what patches were applied to the clean php
source?

------------------------------------------------------------------------

[2004-09-01 22:40:40] justin at timelesstech dot com

Description:
------------
We have had scripts running for a while now fine on PHP 4.3.4 that
assume that the $_FILES['name'] value on file uploads contains the full
/path/to/the/filename.txt

However after our server admins upgraded to PHP 4.3.8 the
$FILES['name'] now only contains the filename, with no path. This makes
it impossible for our recursive file uploader script to work, since it
NEEDS the pathname of those files to know what directory/subdir on the
server to upload the file(s) to!

The changelog does not mention this, but does anybody have any ideas?



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=29937&edit=1

Reply via email to