At 21:23 29/07/2001, Stephen van Egmond wrote:
>Zeev Suraski ([EMAIL PROTECTED]) wrote:
> > At 12:04 29/07/2001, Stephen van Egmond wrote:
> > >2. when a uploaded file fails is_uploaded_file().
> >
> > My English parser bailed out on this one :)
>How's your PHP parser doing? :)
>foreach $f ($HTTP_POST_FILES) {
>         if (!is_uploaded_file($f)) {
>                 die "Ayiee!";
>         }

Umm, there's no need for that code.  $HTTP_POST_FILES can only contain 
uploaded files (I added code that protects $HTTP_*_VARS and 
$HTTP_POST_FILES from the register_global danger around 4.0.3 or so;  Stuff 
in these variables can only come from the real POST/GET/etc. 
sources).  is_uploaded_file() was added only for those who use 

> > While it may be rare to find a situation in which it's useful more than
> > move_uploaded_file(), these cases do exist.  I'm not sure what's wrong 
> with
> > it, can you be more specific?
>My feelings upon seeing it were of the "aw, man, couldn't something
>else check for that?".  There isn't any reason you would want to accept
>a file that failed is_uploaded_file() -- so why bother even leaving it
>as a possibility.
>While I'm typing this, I also understand that it may have been an
>emergency introduction into the language in response to a vulnerability
>report.  And I also understand that functionality that exists in some
>Server API should, in some way, be reproducible in the core without
>duplicating code.

It was just one of the examples to the emergencies that register_globals 
created for us in the past :)


PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to