php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31398 File Upload Original name problem with magic_quotes_gpc = On
Submitted: 2005-01-04 00:20 UTC Modified: 2007-03-17 00:30 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: lobo235 at gmail dot com Assigned:
Status: Closed Package: *Web Server problem
PHP Version: 4CVS-2005-01-04 (stable) OS: Windows and Linux
Private report: No CVE-ID:
 [2005-01-04 00:20 UTC] lobo235 at gmail dot com
Description:
------------
The full name of the file is not put into the $_FILES[] array when a file is uploaded that has an apostrophe in the name.
For example:
lobo235's fam.jpg

The first part of the filename including the apostrophe is cut off so it shows as:
s fam.jpg

I am using $_FILES['userfile']['name'] to try and get the original file name when I see this.

Reproduce code:
---------------
<?php
	echo "<h2>".$_FILES['userfile']['name']."</h2>";
?>
<form method="post" action="p.php" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="7000000" />
Attach this file: <input name="userfile" type="file" size="32" /><br />(<i>Max Size: 7 Megabytes</i>)<br />
<input type="submit" name="attach" value="Attach" />
</form>

Expected result:
----------------
The full name of the file uploaded including the apostrophe.

Actual result:
--------------
The first part of the filename is cut off including the apostrophe.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-04 09:12 UTC] derick@php.net
This is a security measure. Also, the RFCs do not require browsers to pass the full orginal name to an application in the first place, do you should never rely on this field.
 [2005-01-04 22:49 UTC] lobo235 at gmail dot com
If I remember correctly, PHP used to handle filenames of this type just fine. I know that other scripting languages are able to handle these types of filenames just fine. Is there any way that this can be implemented in a future version? It seems like if an array element is going to be set to the "original" file name it should work all the time or not at all. It is misleading when one reads the documentation concerning Handling file uploads. It says:

$_FILES['userfile']['name']

    The original name of the file on the client machine. 

To me this says that no matter what they've named their file this array element always gets set to the name of the file on the client machine. Maybe a change is needed in the documentation.
 [2005-01-05 09:03 UTC] derick@php.net
Yeah, I agree... the documentation should mention this issue.
 [2005-01-05 10:11 UTC] vrana@php.net
I can't reproduce this on PHP 5.0.2 with php.ini-dist, Apache 2 and Windows. "lobo235's fam.jpg" becomes "lobo235\'s fam.jpg" or "lobo235's fam.jpg" with magic_quotes_gpc=Off.

Maybe it's PHP 4 specific.
 [2005-01-05 16:18 UTC] lobo235 at gmail dot com
It may be only PHP4 specific, I do remember it working at one point though using PHP4 a couple of months ago. I had written a file upload script for one of my sites and I remember testing to see what types of filenames it would support and the apostrophes worked fine then. It wasn't until just recently that my host upgraded to 4.3.10 that I started to notice the problem, now my script does not work as it used to.
 [2005-01-11 13:03 UTC] fsolinas at it dot tiscali dot com
I've been able to reproduce this bug on PHP 4.3.10 with
magic_quotes_gpc = On.
It's *not* reproducible turning off magic_quotes_gpc,
because the array element containing the (original) file
name is preserved "intact" this way.

This bug seems to have been introduced in 4.3.10, and breaks
many document management systems that rely on
$_FILES['userfile']['name'] as the name of the file
uploaded, definitely forcing users to *not* use single
quotes in filename.

Do you plan to write a patch to fix this behaviour?
 [2005-01-20 18:57 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2012-12-10 11:31 UTC] jpowell at formability dot co dot uk
This is still an issue on version 5.3.13 with magic_quotes_gpc turned on using Wamp v2.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 19:01:53 2014 UTC