summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--NEWS6
-rw-r--r--main/rfc1867.c10
-rw-r--r--tests/basic/bug55500.phpt67
3 files changed, 80 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index c87609de4a..c1a4a6ec6f 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,12 @@ PHP NEWS
. Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax). (Dmitry)
. Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax). (Laruence)
+- SAPI:
+ . Fixed bug #54374 (Insufficient validating of upload name leading to
+ corrupted $_FILES indices). (Stas, lekensteyn at gmail dot com)
+ . Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).
+ (Stas)
+
- CLI SAPI:
. Fixed bug #60591 (Memory leak when access a non-exists file). (Laruence)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index eca8e2d2fa..b848126b2a 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -556,7 +556,7 @@ static char *php_ap_basename(const zend_encoding *encoding, char *path TSRMLS_DC
{
char *s = strrchr(path, '\\');
char *s2 = strrchr(path, '/');
-
+
if (s && s2) {
if (s > s2) {
++s;
@@ -942,6 +942,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
}
tmp++;
}
+ /* Brackets should always be closed */
+ if(c != 0) {
+ skip_upload = 1;
+ }
}
total_bytes = cancel_upload = 0;
@@ -977,7 +981,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
offset = 0;
end = 0;
-
+
if (!cancel_upload) {
/* only bother to open temp file if we have data */
blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
@@ -1275,7 +1279,7 @@ SAPI_API void php_rfc1867_set_multibyte_callbacks(
php_rfc1867_getword = getword;
php_rfc1867_getword_conf = getword_conf;
php_rfc1867_basename = basename;
-}
+}
/* }}} */
/*
diff --git a/tests/basic/bug55500.phpt b/tests/basic/bug55500.phpt
new file mode 100644
index 0000000000..22bc131bc2
--- /dev/null
+++ b/tests/basic/bug55500.phpt
@@ -0,0 +1,67 @@
+--TEST--
+Bug #55500 (Corrupted $_FILES indices lead to security concern)
+--INI--
+file_uploads=1
+error_reporting=E_ALL&~E_NOTICE
+upload_max_filesize=1024
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[]"; filename="file1.txt"
+Content-Type: text/plain-file1
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[type]"; filename="file2.txt"
+Content-Type: text/plain-file2
+
+2
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[name]"; filename="file3.txt"
+Content-Type: text/plain-file3
+
+3
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[name]["; filename="file4.txt"
+Content-Type: text/plain-file3
+
+4
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_FILES);
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+ [%u|b%"file"]=>
+ array(5) {
+ [%u|b%"name"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(9) "file1.txt"
+ }
+ [%u|b%"type"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(16) "text/plain-file1"
+ }
+ [%u|b%"tmp_name"]=>
+ array(1) {
+ [0]=>
+ %unicode|string%(%d) "%s"
+ }
+ [%u|b%"error"]=>
+ array(1) {
+ [0]=>
+ int(0)
+ }
+ [%u|b%"size"]=>
+ array(1) {
+ [0]=>
+ int(1)
+ }
+ }
+}
+array(0) {
+}