|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-02-19 16:48 UTC] craig at craigfrancis dot co dot uk
-Status: Open
+Status: Closed
[2020-02-19 16:48 UTC] craig at craigfrancis dot co dot uk
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 01 05:00:01 2025 UTC |
Description: ------------ In the PHP source code, the user supplied filename passes though _basename(). https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1139 The comment mentions this is due to Internet Explorer providing the "full path of the file on the user's filesystem". While that might be valid, it's much more important that the comment focuses on the security issue this avoids. For example, you will find examples of PHP code that does something like this: $dest = __DIR__ . '/../../uploads/' . $_FILES["image"]['name']); move_uploaded_file($_FILES['image']['tmp_name'], $dest); Which would cause a problem if an "Evil Hacker" was to set the filename to a relative path, e.g. curl -F 'file=@example.php;filename=../../../example.php' https://example.com/upload/