ID: 30489 Updated by: [EMAIL PROTECTED] Reported By: guth at fiifo dot u-psud dot fr -Status: Open +Status: Bogus Bug Type: Zend Engine 2 problem Operating System: Linux PHP Version: 5.0.2 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Thank you for your interest in PHP. This is up to the PHP programmer to take care of. We can not simply strip out \0's as in some encodings (japanese) it's perfectly valid to have that \0 as part of a multi-byte character. Previous Comments: ------------------------------------------------------------------------ [2004-10-20 09:50:51] guth at fiifo dot u-psud dot fr Description: ------------ hello, includes (include, require, etc.) are not binary safe. It is very dangerous for beginners, who often use includes with parameters. In the following example, i kwow that you can test the file name with pathinfo() but the current PHP behaviour is incorrect. Reproduce code: --------------- <?php $file = $_GET['file']; $path = $_SERVER['DOCUMENT_ROOT']."/includes/".$file.".class.php"; if(is_file($path)) { include $path; } ?> Expected result: ---------------- index.php?file=Forum Should work. I suppose that the directory backups/Database.xml is protected by a .htaccess and is not accessible with your browser. index.php?file=../backups/Dabatase.xml%00 Should not work. Actual result: -------------- index.php?file=Forum Should work. index.php?file=../backups/Dabatase.xml%00 Works ! ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30489&edit=1
