PHP :: Bug #49683 :: $_FILES overwrite

Bug #49683	$_FILES overwrite
Submitted:	2009-09-26 21:47 UTC	Modified:	2016-08-07 18:05 UTC
From:	adamiwaniuk at gmail dot com	Assigned:	cmb (profile)
Status:	Duplicate	Package:	*General Issues
PHP Version:	5.2.11	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	adamiwaniuk at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2009-09-26 21:47 UTC] adamiwaniuk at gmail dot com

Description:
------------
When 'name' from Content-Disposition ends with '[' or '[xxxxx' it is possible to prepeare some fake data of $_FILES structure aray
If someone upload multiple files it is possible to set fake size of file, or when someone is using unsafe method upload (without is_uploaded_file()/move_uploaded_file()) to set tmp_name to any file

example content:

Content-Disposition: form-data; name="images[[tmp_name]"; filename="file.txt"

Content-Disposition: form-data; name="images[tmp_name]["; filename="index.php"

Reproduce code:
---------------
<?php var_dump($_FILES)?>

<?php

foreach ($_FILES["images"]["tmp_name"] as $key => $name){
	copy($_FILES["images"]["tmp_name"][$key],'upload\\a'.rand().'.txt');
}
?>


<?php
foreach ($_FILES["images"]["tmp_name"] as $key => $name) {
	if ($_FILES["images"]["size"][$key]>0 && $_FILES["images"]["size"][$key]<1024)
		move_uploaded_file($_FILES["images"]["tmp_name"][$key],'upload\\'.rand().'.txt');
}

?>


Expected result:
----------------
it should skip upload file when 'name' ends with [ or '[xxx'

Actual result:
--------------
array(1) {
  ["images"]=>
  array(5) {
    ["name"]=>
    array(1) {
      ["[tmp_name"]=>
      string(5) "file.txt"
    }
    ["type"]=>
    array(1) {
      ["[tmp_name"]=>
      string(10) "text/plain"
    }
    ["tmp_name"]=>
    array(5) {
      ["[tmp_name"]=>
      string(66) "C:\Documents and Settings\Adam\Ustawienia lokalne\Temp\php36E3.tmp"
      ["[name"]=>
      string(10) "index.php"
      ["[type"]=>
      string(10) "text/plain"
      ["[error"]=>
      int(0)
      ["[size"]=>
      int(11)
    }
    ["error"]=>
    array(1) {
      ["[tmp_name"]=>
      int(0)
    }
    ["size"]=>
    array(1) {
      ["[tmp_name"]=>
      int(3)
    }
  }
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-09-27 02:52 UTC] jani@php.net

Same problem as already reported in bug #48597

[2016-08-07 18:05 UTC] cmb@php.net

-Status: Not a bug +Status: Duplicate -Assigned To: +Assigned To: cmb

[2016-08-07 18:05 UTC] cmb@php.net

> Same problem as already reported in bug #48597

So this is a duplicate.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 12:00:01 2025 UTC