php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68773 basename function does not check non-minimum UTF-8 forms
Submitted: 2015-01-09 06:21 UTC Modified: 2015-08-02 20:27 UTC
From: php at tokumaru dot org Assigned: cmb (profile)
Status: Not a bug Package: Filesystem function related
PHP Version: 5.6.4 OS: Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at tokumaru dot org
New email:
PHP Version: OS:

 

 [2015-01-09 06:21 UTC] php at tokumaru dot org 
Description:
------------
Function basename does not check invalid multibyte strings.
For example, non-minimum UTF-8 forms are treated as normal file names.
This is a potential path-traversal vulnerability like CVE-2008-2938. 

Test script:
---------------
setlocale('LC_CTYPE', 'en_US.utf8');
var_dump(bin2hex(basename("..\xC0\xAFx")));  // \xC0\xAF is a non-minimum UTF-8 form of '/'

Expected result:
----------------
string(2) "78"

OR

string(0) ""

Actual result:
--------------
string(10) "2e2ec0af78"

Patches

basename-check-invalid-character-encoding-patch (last revision 2015-01-09 06:21 UTC by php at tokumaru dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-02 20:27 UTC] cmb@php.net
-Status: Open +Status: Not a bug
 [2015-08-02 20:27 UTC] cmb@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

basename() is supposed to strip away leading path components, but
not to validate/sanitize the given parameter.
 [2015-08-02 20:27 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 20:01:29 2024 UTC