|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-02-19 16:48 UTC] craig at craigfrancis dot co dot uk
-Status: Open
+Status: Closed
[2020-02-19 16:48 UTC] craig at craigfrancis dot co dot uk
|
|||||||||||||||||||||||||||
Copyright © 2001-2026 The PHP GroupAll rights reserved. |
Last updated: Tue Mar 31 09:00:01 2026 UTC |
Description: ------------ In the PHP source code, the user supplied filename passes though _basename(). https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1139 The comment mentions this is due to Internet Explorer providing the "full path of the file on the user's filesystem". While that might be valid, it's much more important that the comment focuses on the security issue this avoids. For example, you will find examples of PHP code that does something like this: $dest = __DIR__ . '/../../uploads/' . $_FILES["image"]['name']); move_uploaded_file($_FILES['image']['tmp_name'], $dest); Which would cause a problem if an "Evil Hacker" was to set the filename to a relative path, e.g. curl -F 'file=@example.php;filename=../../../example.php' https://example.com/upload/