PHP :: Bug #50314 :: File upload problem with typo in form

Bug #50314

File upload problem with typo in form

Submitted:

2009-11-27 14:20 UTC

Modified:

2016-08-07 18:07 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	0 (0.0%)

From:

jj07020 at lanet dot lv

Assigned:

cmb (profile)

Status:

Duplicate

Package:

*General Issues

PHP Version:

5.*, 6

OS:

Windows XP Pro SP3

Private report:

CVE-ID:

None

View Developer Edit

[2009-11-27 14:20 UTC] jj07020 at lanet dot lv

Description:
------------
It is possible to supply a filename which will be incorrectly parsed by PHP. The problem occurs when uploading a file from an HTML form with attributes name="file[" (lacking the closing bracket) and type="file". I'm using Apache 2.2.14 & PHP 5.3.1, but I was able to reproduce the bug with Apache 2.2.10 & PHP 5.3.0.


Reproduce code:
---------------
HTML form - form.html:

<form method="post" enctype="multipart/form-data" action="upload.php">
<input type="file" name="file[" />
<input type="submit" value="OK" />
</form>


PHP code - upload.php:

<?php
var_dump($_FILES);
?>


The body of the HTTP request:

------------3PL7QzumhbsotvnG6nZnmR
Content-Disposition: form-data; name="file["; filename="code.gif"
Content-Type: image/gif

<binary gif data>

------------3PL7QzumhbsotvnG6nZnmR--


Expected result:
----------------
The array $_FILES should contain valid keys as specified in http://www.php.net/manual/en/features.file-upload.post-method.php. Hovever, the following assertion fails:

if (isset($_FILES["file"])) {
    assert(is_string($_FILES["name"])); // actual key is "[name"
}

Since the filename ("file[") lacks the closing bracket, it probably should be interpreted as a single file named "file[":

array(1) { ["file["]=> array(5) { ["name"]=> string(8) "code.gif" ["type"]=> string(9) "image/gif" ["tmp_name"]=> string(17) "C:\Temp\php3A.tmp" ["error"]=> int(0) ["size"]=> int(3342) } }


Actual result:
--------------
The array $_FILES:

array(1) { ["file"]=> array(5) { ["[name"]=> string(8) "code.gif" ["[type"]=> string(9) "image/gif" ["[tmp_name"]=> string(17) "C:\Temp\php3A.tmp" ["[error"]=> int(0) ["[size"]=> int(3342) } }

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-11-29 12:38 UTC] jj07020 at lanet dot lv

I tried it with php 5.2 (Snapshot Fri, 27 Nov 2009 11:41:38 +0000, Version: 5.2.12RC3-dev) and it produces the same result.

[2009-11-30 16:10 UTC] jani@php.net

This is not specific to any SAPI, happens also with sapi/cgi/ from today.

[2013-12-05 19:41 UTC] mike@php.net

See bug #48597

[2016-08-07 18:07 UTC] cmb@php.net

-Status: Verified +Status: Duplicate -Assigned To: +Assigned To: cmb

[2016-08-07 18:07 UTC] cmb@php.net

> See bug #48597

Actually, this report is a duplicate of the other report.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 22:01:29 2025 UTC