FAQ
stas Sun, 01 Jan 2012 23:54:25 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=321664

Log:
fix bug #54374, bug #55500 - filter file names better, no dangling [s

Bugs: https://bugs.php.net/54374 (Open) Insufficient validating of upload name leading to corrupted $_FILES indices
https://bugs.php.net/55500 (error getting bug information)

Changed paths:
U php/php-src/branches/PHP_5_4/NEWS
U php/php-src/branches/PHP_5_4/main/rfc1867.c
A php/php-src/branches/PHP_5_4/tests/basic/bug55500.phpt
U php/php-src/trunk/main/rfc1867.c
A php/php-src/trunk/tests/basic/bug55500.phpt

Modified: php/php-src/branches/PHP_5_4/NEWS
===================================================================
--- php/php-src/branches/PHP_5_4/NEWS 2012-01-01 23:51:21 UTC (rev 321663)
+++ php/php-src/branches/PHP_5_4/NEWS 2012-01-01 23:54:25 UTC (rev 321664)
@@ -5,6 +5,12 @@
. Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax). (Dmitry)
. Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax). (Laruence)

+- SAPI:
+ . Fixed bug #54374 (Insufficient validating of upload name leading to
+ corrupted $_FILES indices). (Stas, lekensteyn at gmail dot com)
+ . Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).
+ (Stas)
+
- CLI SAPI:
. Fixed bug #60591 (Memory leak when access a non-exists file). (Laruence)


Modified: php/php-src/branches/PHP_5_4/main/rfc1867.c
===================================================================
--- php/php-src/branches/PHP_5_4/main/rfc1867.c 2012-01-01 23:51:21 UTC (rev 321663)
+++ php/php-src/branches/PHP_5_4/main/rfc1867.c 2012-01-01 23:54:25 UTC (rev 321664)
@@ -556,7 +556,7 @@
{
char *s = strrchr(path, '\\');
char *s2 = strrchr(path, '/');
-
+
if (s && s2) {
if (s > s2) {
++s;
@@ -942,6 +942,10 @@
}
tmp++;
}
+ /* Brackets should always be closed */
+ if(c != 0) {
+ skip_upload = 1;
+ }
}

total_bytes = cancel_upload = 0;
@@ -977,7 +981,7 @@

offset = 0;
end = 0;
-
+
if (!cancel_upload) {
/* only bother to open temp file if we have data */
blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
@@ -1275,7 +1279,7 @@
php_rfc1867_getword = getword;
php_rfc1867_getword_conf = getword_conf;
php_rfc1867_basename = basename;
-}
+}
/* }}} */

/*

Added: php/php-src/branches/PHP_5_4/tests/basic/bug55500.phpt
===================================================================
--- php/php-src/branches/PHP_5_4/tests/basic/bug55500.phpt (rev 0)
+++ php/php-src/branches/PHP_5_4/tests/basic/bug55500.phpt 2012-01-01 23:54:25 UTC (rev 321664)
@@ -0,0 +1,67 @@
+--TEST--
+Bug #55500 (Corrupted $_FILES indices lead to security concern)
+--INI--
+file_uploads=1
+error_reporting=E_ALL&~E_NOTICE
+upload_max_filesize=1024
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[]"; filename="file1.txt"
+Content-Type: text/plain-file1
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[type]"; filename="file2.txt"
+Content-Type: text/plain-file2
+
+2
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[name]"; filename="file3.txt"
+Content-Type: text/plain-file3
+
+3
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[name]["; filename="file4.txt"
+Content-Type: text/plain-file3
+
+4
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_FILES);
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+ [%u|b%"file"]=>
+ array(5) {
+ [%u|b%"name"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(9) "file1.txt"
+ }
+ [%u|b%"type"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(16) "text/plain-file1"
+ }
+ [%u|b%"tmp_name"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(%d) "%s"
+ }
+ [%u|b%"error"]=>
+ array(1) {
+ [0]=>
+ int(0)
+ }
+ [%u|b%"size"]=>
+ array(1) {
+ [0]=>
+ int(1)
+ }
+ }
+}
+array(0) {
+}

Modified: php/php-src/trunk/main/rfc1867.c
===================================================================
--- php/php-src/trunk/main/rfc1867.c 2012-01-01 23:51:21 UTC (rev 321663)
+++ php/php-src/trunk/main/rfc1867.c 2012-01-01 23:54:25 UTC (rev 321664)
@@ -556,7 +556,7 @@
{
char *s = strrchr(path, '\\');
char *s2 = strrchr(path, '/');
-
+
if (s && s2) {
if (s > s2) {
++s;
@@ -942,6 +942,10 @@
}
tmp++;
}
+ /* Brackets should always be closed */
+ if(c != 0) {
+ skip_upload = 1;
+ }
}

total_bytes = cancel_upload = 0;
@@ -977,7 +981,7 @@

offset = 0;
end = 0;
-
+
if (!cancel_upload) {
/* only bother to open temp file if we have data */
blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
@@ -1275,7 +1279,7 @@
php_rfc1867_getword = getword;
php_rfc1867_getword_conf = getword_conf;
php_rfc1867_basename = basename;
-}
+}
/* }}} */

/*

Added: php/php-src/trunk/tests/basic/bug55500.phpt
===================================================================
--- php/php-src/trunk/tests/basic/bug55500.phpt (rev 0)
+++ php/php-src/trunk/tests/basic/bug55500.phpt 2012-01-01 23:54:25 UTC (rev 321664)
@@ -0,0 +1,67 @@
+--TEST--
+Bug #55500 (Corrupted $_FILES indices lead to security concern)
+--INI--
+file_uploads=1
+error_reporting=E_ALL&~E_NOTICE
+upload_max_filesize=1024
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[]"; filename="file1.txt"
+Content-Type: text/plain-file1
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[type]"; filename="file2.txt"
+Content-Type: text/plain-file2
+
+2
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[name]"; filename="file3.txt"
+Content-Type: text/plain-file3
+
+3
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[name]["; filename="file4.txt"
+Content-Type: text/plain-file3
+
+4
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_FILES);
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+ [%u|b%"file"]=>
+ array(5) {
+ [%u|b%"name"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(9) "file1.txt"
+ }
+ [%u|b%"type"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(16) "text/plain-file1"
+ }
+ [%u|b%"tmp_name"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(%d) "%s"
+ }
+ [%u|b%"error"]=>
+ array(1) {
+ [0]=>
+ int(0)
+ }
+ [%u|b%"size"]=>
+ array(1) {
+ [0]=>
+ int(1)
+ }
+ }
+}
+array(0) {
+}

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-cvs @
categoriesphp
postedJan 1, '12 at 11:54p
activeJan 1, '12 at 11:54p
posts1
users1
websitephp.net

1 user in discussion

Stanislav Malyshev: 1 post

People

Translate

site design / logo © 2018 Grokbase