PHP :: Bug #49683 :: $_FILES overwrite

Bug #49683	$_FILES overwrite
Submitted:	2009-09-26 21:47 UTC	Modified:	2016-08-07 18:05 UTC
From:	adamiwaniuk at gmail dot com	Assigned:	cmb (profile)
Status:	Duplicate	Package:	*General Issues
PHP Version:	5.2.11	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	adamiwaniuk at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-09-26 21:47 UTC] adamiwaniuk at gmail dot com

Description:
------------
When 'name' from Content-Disposition ends with '[' or '[xxxxx' it is possible to prepeare some fake data of $_FILES structure aray
If someone upload multiple files it is possible to set fake size of file, or when someone is using unsafe method upload (without is_uploaded_file()/move_uploaded_file()) to set tmp_name to any file

example content:

Content-Disposition: form-data; name="images[[tmp_name]"; filename="file.txt"

Content-Disposition: form-data; name="images[tmp_name]["; filename="index.php"

Reproduce code:
---------------
<?php var_dump($_FILES)?>

<?php

foreach ($_FILES["images"]["tmp_name"] as $key => $name){
	copy($_FILES["images"]["tmp_name"][$key],'upload\\a'.rand().'.txt');
}
?>


<?php
foreach ($_FILES["images"]["tmp_name"] as $key => $name) {
	if ($_FILES["images"]["size"][$key]>0 && $_FILES["images"]["size"][$key]<1024)
		move_uploaded_file($_FILES["images"]["tmp_name"][$key],'upload\\'.rand().'.txt');
}

?>


Expected result:
----------------
it should skip upload file when 'name' ends with [ or '[xxx'

Actual result:
--------------
array(1) {
  ["images"]=>
  array(5) {
    ["name"]=>
    array(1) {
      ["[tmp_name"]=>
      string(5) "file.txt"
    }
    ["type"]=>
    array(1) {
      ["[tmp_name"]=>
      string(10) "text/plain"
    }
    ["tmp_name"]=>
    array(5) {
      ["[tmp_name"]=>
      string(66) "C:\Documents and Settings\Adam\Ustawienia lokalne\Temp\php36E3.tmp"
      ["[name"]=>
      string(10) "index.php"
      ["[type"]=>
      string(10) "text/plain"
      ["[error"]=>
      int(0)
      ["[size"]=>
      int(11)
    }
    ["error"]=>
    array(1) {
      ["[tmp_name"]=>
      int(0)
    }
    ["size"]=>
    array(1) {
      ["[tmp_name"]=>
      int(3)
    }
  }
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-09-27 02:52 UTC] jani@php.net

Same problem as already reported in bug #48597

[2016-08-07 18:05 UTC] cmb@php.net

-Status: Not a bug +Status: Duplicate -Assigned To: +Assigned To: cmb

[2016-08-07 18:05 UTC] cmb@php.net

> Same problem as already reported in bug #48597

So this is a duplicate.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC