php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49683 $_FILES overwrite
Submitted: 2009-09-26 21:47 UTC Modified: 2010-01-20 10:13 UTC
From: adamiwaniuk at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.11 OS:
Private report: No CVE-ID:
 [2009-09-26 21:47 UTC] adamiwaniuk at gmail dot com
Description:
------------
When 'name' from Content-Disposition ends with '[' or '[xxxxx' it is possible to prepeare some fake data of $_FILES structure aray
If someone upload multiple files it is possible to set fake size of file, or when someone is using unsafe method upload (without is_uploaded_file()/move_uploaded_file()) to set tmp_name to any file

example content:

Content-Disposition: form-data; name="images[[tmp_name]"; filename="file.txt"

Content-Disposition: form-data; name="images[tmp_name]["; filename="index.php"

Reproduce code:
---------------
<?php var_dump($_FILES)?>

<?php

foreach ($_FILES["images"]["tmp_name"] as $key => $name){
	copy($_FILES["images"]["tmp_name"][$key],'upload\\a'.rand().'.txt');
}
?>


<?php
foreach ($_FILES["images"]["tmp_name"] as $key => $name) {
	if ($_FILES["images"]["size"][$key]>0 && $_FILES["images"]["size"][$key]<1024)
		move_uploaded_file($_FILES["images"]["tmp_name"][$key],'upload\\'.rand().'.txt');
}

?>


Expected result:
----------------
it should skip upload file when 'name' ends with [ or '[xxx'

Actual result:
--------------
array(1) {
  ["images"]=>
  array(5) {
    ["name"]=>
    array(1) {
      ["[tmp_name"]=>
      string(5) "file.txt"
    }
    ["type"]=>
    array(1) {
      ["[tmp_name"]=>
      string(10) "text/plain"
    }
    ["tmp_name"]=>
    array(5) {
      ["[tmp_name"]=>
      string(66) "C:\Documents and Settings\Adam\Ustawienia lokalne\Temp\php36E3.tmp"
      ["[name"]=>
      string(10) "index.php"
      ["[type"]=>
      string(10) "text/plain"
      ["[error"]=>
      int(0)
      ["[size"]=>
      int(11)
    }
    ["error"]=>
    array(1) {
      ["[tmp_name"]=>
      int(0)
    }
    ["size"]=>
    array(1) {
      ["[tmp_name"]=>
      int(3)
    }
  }
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-27 02:52 UTC] jani@php.net
Same problem as already reported in bug #48597
 
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Mon Apr 27 05:02:42 2015 UTC