fix bug #54374, bug #55500 - filter file names better, no dangling [s

2024-11-24 02:15:04 +08:00 · 2012-01-01 23:54:25 +00:00 · 2012-01-01 23:54:25 +00:00 · 2a687aed1a
commit 2a687aed1a
parent 0fdbefa430
3 changed files with 80 additions and 3 deletions
--- a/6
+++ b/6
@ -5,6 +5,12 @@ PHP                                                                        NEWS
  . Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax). (Dmitry)
  . Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax). (Laruence)

+- SAPI:
+  . Fixed bug #54374 (Insufficient validating of upload name leading to 
+    corrupted $_FILES indices). (Stas, lekensteyn at gmail dot com)
+  . Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).
+    (Stas)
+
 - CLI SAPI:
  . Fixed bug #60591 (Memory leak when access a non-exists file). (Laruence)

--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@ -556,7 +556,7 @@ static char *php_ap_basename(const zend_encoding *encoding, char *path TSRMLS_DC
 {
 	char *s = strrchr(path, '\\');
 	char *s2 = strrchr(path, '/');
-	
+
 	if (s && s2) {
 		if (s > s2) {
 			++s;
@ -942,6 +942,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 					}
 					tmp++;
 				}
+				/* Brackets should always be closed */
+				if(c != 0) {
+					skip_upload = 1;
+				}
 			}

 			total_bytes = cancel_upload = 0;
@ -977,7 +981,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */

 			offset = 0;
 			end = 0;
-			
+
 			if (!cancel_upload) {
 				/* only bother to open temp file if we have data */
 				blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
@ -1275,7 +1279,7 @@ SAPI_API void php_rfc1867_set_multibyte_callbacks(
 	php_rfc1867_getword = getword;
 	php_rfc1867_getword_conf = getword_conf;
 	php_rfc1867_basename = basename;
-}	
+}
 /* }}} */

 /*
--- a/tests/basic/bug55500.phpt
+++ b/tests/basic/bug55500.phpt
@ -0,0 +1,67 @@
+--TEST--
+Bug #55500 (Corrupted $_FILES indices lead to security concern)
+--INI--
+file_uploads=1
+error_reporting=E_ALL&~E_NOTICE
+upload_max_filesize=1024
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[]"; filename="file1.txt"
+Content-Type: text/plain-file1
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[type]"; filename="file2.txt"
+Content-Type: text/plain-file2
+
+2
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[name]"; filename="file3.txt"
+Content-Type: text/plain-file3
+
+3
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[name]["; filename="file4.txt"
+Content-Type: text/plain-file3
+
+4
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_FILES);
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  [%u|b%"file"]=>
+  array(5) {
+    [%u|b%"name"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(9) "file1.txt"
+    }
+    [%u|b%"type"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(16) "text/plain-file1"
+    }
+    [%u|b%"tmp_name"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(%d) "%s"
+    }
+    [%u|b%"error"]=>
+    array(1) {
+      [0]=>
+      int(0)
+    }
+    [%u|b%"size"]=>
+    array(1) {
+      [0]=>
+      int(1)
+    }
+  }
+}
+array(0) {
+}