PHP :: Bug #50314 :: File upload problem with typo in form

Bug #50314

File upload problem with typo in form

Submitted:

2009-11-27 14:20 UTC

Modified:

2016-08-07 18:07 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	0 (0.0%)

From:

jj07020 at lanet dot lv

Assigned:

cmb (profile)

Status:

Duplicate

Package:

*General Issues

PHP Version:

5.*, 6

OS:

Windows XP Pro SP3

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jj07020 at lanet dot lv
New email:
PHP Version:		OS:

New Comment:

[2009-11-27 14:20 UTC] jj07020 at lanet dot lv

Description:
------------
It is possible to supply a filename which will be incorrectly parsed by PHP. The problem occurs when uploading a file from an HTML form with attributes name="file[" (lacking the closing bracket) and type="file". I'm using Apache 2.2.14 & PHP 5.3.1, but I was able to reproduce the bug with Apache 2.2.10 & PHP 5.3.0.


Reproduce code:
---------------
HTML form - form.html:

<form method="post" enctype="multipart/form-data" action="upload.php">
<input type="file" name="file[" />
<input type="submit" value="OK" />
</form>


PHP code - upload.php:

<?php
var_dump($_FILES);
?>


The body of the HTTP request:

------------3PL7QzumhbsotvnG6nZnmR
Content-Disposition: form-data; name="file["; filename="code.gif"
Content-Type: image/gif

<binary gif data>

------------3PL7QzumhbsotvnG6nZnmR--


Expected result:
----------------
The array $_FILES should contain valid keys as specified in http://www.php.net/manual/en/features.file-upload.post-method.php. Hovever, the following assertion fails:

if (isset($_FILES["file"])) {
    assert(is_string($_FILES["name"])); // actual key is "[name"
}

Since the filename ("file[") lacks the closing bracket, it probably should be interpreted as a single file named "file[":

array(1) { ["file["]=> array(5) { ["name"]=> string(8) "code.gif" ["type"]=> string(9) "image/gif" ["tmp_name"]=> string(17) "C:\Temp\php3A.tmp" ["error"]=> int(0) ["size"]=> int(3342) } }


Actual result:
--------------
The array $_FILES:

array(1) { ["file"]=> array(5) { ["[name"]=> string(8) "code.gif" ["[type"]=> string(9) "image/gif" ["[tmp_name"]=> string(17) "C:\Temp\php3A.tmp" ["[error"]=> int(0) ["[size"]=> int(3342) } }

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-11-29 12:38 UTC] jj07020 at lanet dot lv

I tried it with php 5.2 (Snapshot Fri, 27 Nov 2009 11:41:38 +0000, Version: 5.2.12RC3-dev) and it produces the same result.

[2009-11-30 16:10 UTC] jani@php.net

This is not specific to any SAPI, happens also with sapi/cgi/ from today.

[2013-12-05 19:41 UTC] mike@php.net

See bug #48597

[2016-08-07 18:07 UTC] cmb@php.net

-Status: Verified +Status: Duplicate -Assigned To: +Assigned To: cmb

[2016-08-07 18:07 UTC] cmb@php.net

> See bug #48597

Actually, this report is a duplicate of the other report.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 14:01:29 2024 UTC