From 43fefff150335ec2c4e9658c06f2e951480b481b Mon Sep 17 00:00:00 2001 From: Rasmus Lerdorf Date: Mon, 4 Sep 2000 05:09:46 +0000 Subject: [PATCH] Quick-fix for the file upload security alert @Quick-fix for the file upload security alert (Rasmus) --- main/rfc1867.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/main/rfc1867.c b/main/rfc1867.c index 5401af72d11..eb1171c2b36 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -64,7 +64,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr) int eolsize; long bytes, max_file_size = 0; char *namebuf=NULL, *filenamebuf=NULL, *lbuf=NULL, - *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL; + *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL, *sbuf=NULL; FILE *fp; int itype, is_arr_upload=0, arr_len=0; zval *http_post_files=NULL; @@ -172,8 +172,10 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr) } abuf = estrndup(namebuf, strlen(namebuf)-arr_len); sprintf(lbuf, "%s_name[%s]", abuf, arr_index); + sbuf = estrdup(abuf); } else { sprintf(lbuf, "%s_name", namebuf); + sbuf = estrdup(abuf); } s = strrchr(filenamebuf, '\\'); if (s && s > filenamebuf) { @@ -252,7 +254,11 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr) } *(loc - 4) = '\0'; - php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC); + /* Check to make sure we are not overwriting special file + * upload variables */ + if(memcmp(namebuf,sbuf,strlen(sbuf))) { + php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC); + } /* And a little kludge to pick out special MAX_FILE_SIZE */ itype = php_check_ident_type(namebuf); @@ -353,6 +359,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr) break; } } + if(sbuf) efree(sbuf); SAFE_RETURN; }