php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #50691 Do not create unnecessary temporary files for POST (CVE-2009-4017)
Submitted: 2010-01-08 07:21 UTC Modified: 2010-12-20 15:41 UTC
Votes:4
Avg. Score:4.0 ± 1.2
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: john dot peterson10 at gmail dot com Assigned:
Status: Open Package: HTTP related
PHP Version: * OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: john dot peterson10 at gmail dot com
New email:
PHP Version: OS:

 

 [2010-01-08 07:21 UTC] john dot peterson10 at gmail dot com
Description:
------------
Suggestion: Don't create temporary files when receiving a "multipart/form-data" POST until they are needed by the PHP code. This is an alternative solution to CVE-2009-4017 that does not require a max_file_uploads limit.

My understanding of the current function of RFC-1867 (Form-based File Upload in HTML) is that the list of files and the data for the files is sent before there is any processing of the PHP code in the requested page. (And regardless if the Apache-httpd server is PHP enabled or not?) However, a PHP enabled server controls the response to the POST request and with the max_file_uploads limit it will not process any more files than what it's limited to.

My question is: Isn't there a way to go even further and not respond to the file uploads in the POST request until it's needed in the PHP code? I.e. by only asking for file data when an element in $_FILES is requested by the PHP code? For example, when $_FILES[#] or $_FILES[#]["tmp_name"] is accessed in the PHP code (with move_uploaded_file or otherwise), the PHP execution halts and waits for that file to be uploaded, and so on with the other files. That way the vulnerability would be solved and there wouldn't be a need for the max_file_uploads limit. Or is there no two-way communication so that files are submitted one at a time from the client regardless of the response from the server (so that this solution is not possible)?

Reproduce code:
---------------
Page request with File Upload

Expected result:
----------------
Files are only created on the server when they are needed in the PHP code

Actual result:
--------------
Files are created on the server regardless if they are needed in the PHP code or not

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-20 15:41 UTC] jani@php.net
-Summary: Don't create unecessary temporary files for POST (CVE-2009-4017) +Summary: Do not create unnecessary temporary files for POST (CVE-2009-4017) -Package: Feature/Change Request +Package: HTTP related -Operating System: Windows +Operating System: *
 [2010-12-20 15:41 UTC] jani@php.net
-PHP Version: 5.2.12 +PHP Version: *
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 14:01:24 2019 UTC