PHP :: Bug #38245 :: File Upload Problem When magic_quotes

Bug #38245

File Upload Problem When magic_quotes_gpc = On

Submitted:

2006-07-28 20:39 UTC

Modified:

2007-11-18 14:13 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

david at orangegateos dot com

Assigned:

iliaa (profile)

Status:

Not a bug

Package:

*General Issues

PHP Version:

5CVS-2006-07-31 (snap)

OS:

Windows 2003 and IIS6.0

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	david at orangegateos dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-07-28 20:39 UTC] david at orangegateos dot com

Description:
------------
This problem seems to be related to an older occurrence of the bug found at http://bugs.php.net/bug.php?id=31398.

The full filename is not passed to the $_FILES[] array when submitting a file with an apostrophe in the name.

For example:  David's Image.jpg

When uploading this file, everything before and including the apostrophe is removed so that the following will only show:  s Image.jpg.

The problem occurs when I am using $_FILES['userfile']['name'] to retrieve the original filename.

I tried today?s CVS, upgrading from 5.1.4.  Also, I have tried PHP 4.4.2 on Windows, and the problem occurs there as well, but not on a Linux system.  As was suggested in the previous bug report, I tried 5.0.2 and this bug is not reproducible.

Reproduce code:
---------------
<?php echo '<h1>' . $_FILES['userfile']['name'] . '</h1>'; ?>

<form name="fileUpload" enctype="multipart/form-data" method="post" action="index.php">
<input type="hidden" name="MAX_FILE_SIZE" value="2000000" />
<input type="file" name="userfile" value="" /><br />
<br />
<input type="submit" name="submit" value="Upload File" />
</form>

Expected result:
----------------
The full name of the file, including the apostrophe:  David's Image.jpg.

Actual result:
--------------
The first part of the filename is removed, including the apostrophe.  Displays:  s Image.jpg.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-07-28 21:05 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

I've tried it on latest version of PHP 5.2 from CVS and it 
works fine, the full, escaped file name is returned.

[2006-07-28 21:42 UTC] david at orangegateos dot com

I have just tried the linked version for Windows, and I continue to receive the same problem.  I used the included php.ini-dist file, unmodified from the zip file.

However, I do receive the full, escaped filename with 5.0.2, similiar to what you say you receive with the linked 5.2.

This is on a Windows Server 2003 box with IIS6.0.

[2006-07-31 21:51 UTC] david at orangegateos dot com

I did some rather extensive testing today with many different versions of PHP.  I used Windows versions of PHP for my testing.  Utilized versions of PHP 5 were from 5.0.0 to 5.1.4 and versions of PHP 4 from 4.1.0 to 4.4.2.

The result I was looking for was a full, escaped filename to be output on the page (e.g. David\'s Image.jpg).

Versions that gave the *desired* results were:  4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 5.0.0, 5.0.1, and 5.0.2.

Versions 4.3.10+ and 5.0.3+ all gave incorrect results.  It is noted in the ChangeLog that this bug was fixed in PHP versions 4.3.11 and 5.0.4, but these versions still produce incorrect results.

In the "Handling File Uploads" documentation notes section, some users report that there are some problems with this feature.  The first occurrence of this is at http://us2.php.net/manual/en/features.file-upload.php#60024, and another appears at http://us2.php.net/manual/en/features.file-upload.php#64087.

The documentation states that $_FILES['userfile']['name'] is "the original name of the file on the client machine".  Are Windows versions of PHP supposed to be chopping off the filename if magic_quotes_gpc is on, or is it supposed to return the full, escaped filename?

[2006-08-04 16:07 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Actually upon further review it seems that this behavior is 
intended. The filename is supposed to contain just the 
filename, however on Win32 backslash (\) is considered to be a 
directory separator, at it foo\'bar.txt would actually be 
treated as directory foo containing file 'bar.txt.

[2007-06-21 22:28 UTC] nlopess@php.net

Uhm, I think the filename should only escaped after applying basename(). I didn't look to the sources to check if that is possible, though.

[2007-07-04 17:01 UTC] sniper@php.net

Ilia, this can't be intentional..

[2007-11-18 14:13 UTC] iliaa@php.net

It is intentional behavior. The code already does "basename" before 
magic quotes are applied. However, if you fail to remove the \ char from 
the filename windows will treat it as a directory separator and thus 
will try to place the file inside a wrong directory should you attempt 
to write it.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC