PHP :: Bug #63808 :: FireFox Secure Mode vs Full Path and Filename

Bug #63808	FireFox Secure Mode vs Full Path and Filename
Submitted:	2012-12-19 19:22 UTC	Modified:	2012-12-20 01:12 UTC
From:	davisoftaec at gmail dot com	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	Irrelevant	OS:	Ubuntu
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	davisoftaec at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-12-19 19:22 UTC] davisoftaec at gmail dot com

Description:
------------
Sirs;

I'm developing in serveral versions the oldest is 5.3.2 for Ubuntu.

I found that realpath nor any other function in PHP will return a fullpath/filename.

I originally open a thread on this at:

http://ubuntuforums.org/showthread.php?t=2077379

Then once I discovered it was a FF Secure Mode issue posted it at:

http://forums.mozillazine.org/viewtopic.php?f=7&t=2612465&p=12467081#p12467081

I realize, since the Secure Mode Mandate was announced, not all issues surrounding it have been addressed.

I wanted to make you aware of this one and if you do not put this correction back into the "realpath" function, due to the debate over what it should do or be limited to, then give us a function that addresses this.

The coder should not have to be dealing with issues that are at this level, because the coder does not know what the default configuration of the users browser will be, so the fix for this must circumvent any restrictions placed on it by the browser.

If keeping the browser secure is a concern, then a POP-UP message to allow this "fullpath/filename" variable assignment should appear, to allow the work around to run the processing correctly.

Thanks!

OldManRiver



Test script:
---------------
<?php
	define ('SHOW_ME', 1);
	if (SHOW_ME==1) {
		foreach ($_POST as $key => $val) {
			echo "PK=> $key PV=> $val <br>";
		}  // end foreach $_POST
		foreach ($_GET as $key => $val) {
			echo "GK=> $key GV=> $val <br>";
		}  // end foreach $_POST
   }  // end if SHOW_ME
?>

<html>
<head>
<script type="text/javascript">
	function folder_address() {
		var pfile=document.getElementById('pfile');
		echo pfile.value;
		location.href="<?php echo $_SERVER['PHP_SELF']; ?>?pfile=" + pfile.value;
	}
</script>
</head>

<body onLoad ="folder_address();">
<FORM NAME='realp' METHOD='POST' ACTION="<?php echo $_SERVER['PHP_SELF']; ?>">
<table align='center' width='50%' border='5' cellspacing='0' cellpadding='0'>
	<tr>
		<td>&nbsp;</td>
	</tr>

	<tr>
		<td align='center'>	
			<div class="fileinputs1">
			<!-- input type="file" id="folder_add" name="folder_add">
			<input type="hidden" id="folder" name="folder">
			<br -->
			<input type='file' id='pfile' name='pfile' value='Browse'>
			</div>
			<input type='submit' value='Submit'>
		</td>
	</tr>
</table>

</form>
</body>
</html>

Expected result:
----------------
The entire and complete fullpath and filename of the file on the local or hosted machine.

Actual result:
--------------
only the filename, path is truncated.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-12-20 01:12 UTC] aharvey@php.net

-Status: Open +Status: Not a bug

[2012-12-20 01:12 UTC] aharvey@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

Form file uploads don't work that way, sorry. PHP never gets the full path of the file.

[2012-12-20 17:01 UTC] anon at anon dot anon

I read both your threads and I'm still not quite sure what you want to do.

* If you want to know the file name on the client, it's $_FILES[...]['name'].

* If you want to know the full file path where it's been saved to on the server after uploading, it's $_FILES[...]['tmp_name'].

* If you want to know the full path on the client, and your script is running on the same machine (or on a local network with file sharing set up), then you're confused because you don't really want a file upload box. You want either: a plain text box for typing the file path; OR: a script that finds & lists the names of all the eligible files, to let the user click on one.

* If you think you want to know the full path on the client, and your script is not on the same machine or on the same network, then you're confused, because that information is (1) totally unusable because that path is on a different computer (2) totally unnecessary because you just uploaded the file anyway (3) none of your business.

Stop blaming the realpath function. It's not broken. But it never has and never will have anything to do with your problem.

>the fix for this must circumvent any restrictions placed on it by the browser

I've heard of that. That's called malware.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon May 27 04:01:31 2024 UTC