mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-25 10:54:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Quick-fix for the file upload security alert

Browse Source 
@Quick-fix for the file upload security alert (Rasmus)
This commit is contained in:
Rasmus Lerdorf 2000-09-04 05:09:46 +00:00
parent 6bfed632c7
commit 43fefff150
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
main/rfc1867.c
View File

@ -64,7 +64,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
int eolsize;
long bytes, max_file_size = 0;
char *namebuf=NULL, *filenamebuf=NULL, *lbuf=NULL,
*abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL;
*abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL, *sbuf=NULL;
FILE *fp;
int itype, is_arr_upload=0, arr_len=0;
zval *http_post_files=NULL;
@ -172,8 +172,10 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
}
abuf = estrndup(namebuf, strlen(namebuf)-arr_len);
sprintf(lbuf, "%s_name[%s]", abuf, arr_index);
sbuf = estrdup(abuf);
} else {
sprintf(lbuf, "%s_name", namebuf);
sbuf = estrdup(abuf);
}
s = strrchr(filenamebuf, '\\');
if (s && s > filenamebuf) {
@ -252,7 +254,11 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
}
*(loc - 4) = '\0';
php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
/* Check to make sure we are not overwriting special file
* upload variables */
if(memcmp(namebuf,sbuf,strlen(sbuf))) {
php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
}
/* And a little kludge to pick out special MAX_FILE_SIZE */
itype = php_check_ident_type(namebuf);
@ -353,6 +359,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
break;
}
}
if(sbuf) efree(sbuf);
SAFE_RETURN;
}