diff options
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | main/rfc1867.c | 10 | ||||
-rw-r--r-- | tests/basic/bug55500.phpt | 67 |
3 files changed, 80 insertions, 3 deletions
@@ -5,6 +5,12 @@ PHP NEWS . Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax). (Dmitry) . Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax). (Laruence) +- SAPI: + . Fixed bug #54374 (Insufficient validating of upload name leading to + corrupted $_FILES indices). (Stas, lekensteyn at gmail dot com) + . Fixed bug #55500 (Corrupted $_FILES indices lead to security concern). + (Stas) + - CLI SAPI: . Fixed bug #60591 (Memory leak when access a non-exists file). (Laruence) diff --git a/main/rfc1867.c b/main/rfc1867.c index eca8e2d2fa..b848126b2a 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -556,7 +556,7 @@ static char *php_ap_basename(const zend_encoding *encoding, char *path TSRMLS_DC { char *s = strrchr(path, '\\'); char *s2 = strrchr(path, '/'); - + if (s && s2) { if (s > s2) { ++s; @@ -942,6 +942,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ } tmp++; } + /* Brackets should always be closed */ + if(c != 0) { + skip_upload = 1; + } } total_bytes = cancel_upload = 0; @@ -977,7 +981,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ offset = 0; end = 0; - + if (!cancel_upload) { /* only bother to open temp file if we have data */ blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC); @@ -1275,7 +1279,7 @@ SAPI_API void php_rfc1867_set_multibyte_callbacks( php_rfc1867_getword = getword; php_rfc1867_getword_conf = getword_conf; php_rfc1867_basename = basename; -} +} /* }}} */ /* diff --git a/tests/basic/bug55500.phpt b/tests/basic/bug55500.phpt new file mode 100644 index 0000000000..22bc131bc2 --- /dev/null +++ b/tests/basic/bug55500.phpt @@ -0,0 +1,67 @@ +--TEST-- +Bug #55500 (Corrupted $_FILES indices lead to security concern) +--INI-- +file_uploads=1 +error_reporting=E_ALL&~E_NOTICE +upload_max_filesize=1024 +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[]"; filename="file1.txt" +Content-Type: text/plain-file1 + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[[type]"; filename="file2.txt" +Content-Type: text/plain-file2 + +2 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[[name]"; filename="file3.txt" +Content-Type: text/plain-file3 + +3 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[name]["; filename="file4.txt" +Content-Type: text/plain-file3 + +4 +-----------------------------20896060251896012921717172737-- +--FILE-- +<?php +var_dump($_FILES); +var_dump($_POST); +?> +--EXPECTF-- +array(1) { + [%u|b%"file"]=> + array(5) { + [%u|b%"name"]=> + array(1) { + [0]=> + %unicode|string%(9) "file1.txt" + } + [%u|b%"type"]=> + array(1) { + [0]=> + %unicode|string%(16) "text/plain-file1" + } + [%u|b%"tmp_name"]=> + array(1) { + [0]=> + %unicode|string%(%d) "%s" + } + [%u|b%"error"]=> + array(1) { + [0]=> + int(0) + } + [%u|b%"size"]=> + array(1) { + [0]=> + int(1) + } + } +} +array(0) { +} |