PHP :: Bug #40813 :: upload filename

Bug #40813	upload filename
Submitted:	2007-03-15 09:47 UTC	Modified:	2007-03-18 20:25 UTC
From:	gianluca dot gimigliano at interno dot it	Assigned:	iliaa (profile)
Status:	Not a bug	Package:	*Web Server problem
PHP Version:	5.2.1	OS:	Windows XP
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	gianluca dot gimigliano at interno dot it
New email:
PHP Version:		OS:

New Comment:

[2007-03-15 09:47 UTC] gianluca dot gimigliano at interno dot it

Description:
------------
When you try to upload a file with the character:' in the name, 
the uploaded file name is read from the ' position.

Reproduce code:
---------------
<html><head></head>
<body>
<?
if ($_FILES['uploaded']) echo $_FILES['uploaded']['name'];
	
?>
<form method="post"  enctype="multipart/form-data">
	<input name="uploaded" type="file">
	<input name="send" type="submit" value="send">
</form>
</body>
</html>

Expected result:
----------------
If the uploaded file name is: special'ized.doc 
The correct output is: special'ized.doc 


Actual result:
--------------
If the uploaded file name is: special'ized.doc 
The real output is: ized.doc

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-03-15 13:02 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2007-03-15 14:19 UTC] gianluca dot gimigliano at interno dot it

With this apache version:
Apache Version  Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d PHP/5.2.2-dev  

The prolem is the same

[2007-03-17 00:42 UTC] tony2001@php.net

Ilia, please take a look at this issue.
It's your patch causes this behaviour: 
http://cvs.php.net/viewvc.cgi/php-src/main/rfc1867.c?view=diff&r1=1.168&r2=1.169
The last #ifdef PHP_WIN32 doesn't look right, did it get there by mistake?

[2007-03-17 00:48 UTC] edink@php.net

I the meanwhile you can set

magic_quotes_gpc=off

in your php.ini which will avoid this problem if your code does not depend on the magic_quotes (which it shouldn't anyway),

[2007-03-18 20:25 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

On Win32 \ is a directory separator, so when \ is added to escape ' and 
alike characters due to magic_quotes_gpc you end up in a situation where 
part of the filename is stripped.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 11:01:30 2024 UTC