|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-02-19 16:48 UTC] craig at craigfrancis dot co dot uk
-Status: Open
+Status: Closed
[2020-02-19 16:48 UTC] craig at craigfrancis dot co dot uk
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat May 04 11:01:32 2024 UTC |
Description: ------------ In the PHP source code, the user supplied filename passes though _basename(). https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1139 The comment mentions this is due to Internet Explorer providing the "full path of the file on the user's filesystem". While that might be valid, it's much more important that the comment focuses on the security issue this avoids. For example, you will find examples of PHP code that does something like this: $dest = __DIR__ . '/../../uploads/' . $_FILES["image"]['name']); move_uploaded_file($_FILES['image']['tmp_name'], $dest); Which would cause a problem if an "Evil Hacker" was to set the filename to a relative path, e.g. curl -F 'file=@example.php;filename=../../../example.php' https://example.com/upload/