|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-04-18 21:17 UTC] mail at michael-kaufmann dot ch
Description:
------------
Fuzz testing revealed that this multipart request is parsed differently, depending on the number of 'a' characters:
--BOUNDARY
Content-Disposition: form-data; name="test"; aaaaaaaaa...aaaaaaaaaa:; filename="test.txt"
This is a test
--BOUNDARY--
For up to 5074 'a' characters, PHP parses this as a file upload: _FILES["test"] contains an array.
For 5075 'a' characters and more, PHP parses this as a POST parameter: _POST["test"] contains the string "This is a test".
This is very strange behavior. I expect that PHP parses these requests the same way, regardless of the number of 'a' characters.
Test script:
---------------
#!/bin/bash
(
printf -- "--BOUNDARY\r\n"
printf -- "Content-Disposition: form-data; name=\"test\"; "
printf -- "a%.0s" {1..5074}
printf -- ":; filename=\"test.txt\"\r\n"
printf -- "\r\n"
printf -- "This is a test\r\n"
printf -- "--BOUNDARY--"
) > /tmp/test.dat
curl -H "Content-Type: multipart/form-data; boundary=BOUNDARY" --data-binary @/tmp/test.dat http://.../phpinfo.php
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Dec 26 20:01:29 2024 UTC |
This is what happens: next_line() in rfc1867.c returns a partial (truncated) header line for very long headers. multipart_buffer_headers() processes this partial header line like a complete header line if it contains a colon (":"). The remaining part of the header line is then processed as a separate header. In the example, the "Content-Disposition" header is split like this: First header: - name: Content-Disposition - value: form-data; name="test"; aaaaaaaaa...aaaaaaaaaa Second header: - name: (empty) - value: ; filename="test.txt"