stas Sun, 01 Jan 2012 23:54:25 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=321664
Log: fix bug #54374, bug #55500 - filter file names better, no dangling [s Bugs: https://bugs.php.net/54374 (Open) Insufficient validating of upload name leading to corrupted $_FILES indices https://bugs.php.net/55500 (error getting bug information) Changed paths: U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/main/rfc1867.c A php/php-src/branches/PHP_5_4/tests/basic/bug55500.phpt U php/php-src/trunk/main/rfc1867.c A php/php-src/trunk/tests/basic/bug55500.phpt Modified: php/php-src/branches/PHP_5_4/NEWS =================================================================== --- php/php-src/branches/PHP_5_4/NEWS 2012-01-01 23:51:21 UTC (rev 321663) +++ php/php-src/branches/PHP_5_4/NEWS 2012-01-01 23:54:25 UTC (rev 321664) @@ -5,6 +5,12 @@ . Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax). (Dmitry) . Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax). (Laruence) +- SAPI: + . Fixed bug #54374 (Insufficient validating of upload name leading to + corrupted $_FILES indices). (Stas, lekensteyn at gmail dot com) + . Fixed bug #55500 (Corrupted $_FILES indices lead to security concern). + (Stas) + - CLI SAPI: . Fixed bug #60591 (Memory leak when access a non-exists file). (Laruence) Modified: php/php-src/branches/PHP_5_4/main/rfc1867.c =================================================================== --- php/php-src/branches/PHP_5_4/main/rfc1867.c 2012-01-01 23:51:21 UTC (rev 321663) +++ php/php-src/branches/PHP_5_4/main/rfc1867.c 2012-01-01 23:54:25 UTC (rev 321664) @@ -556,7 +556,7 @@ { char *s = strrchr(path, '\\'); char *s2 = strrchr(path, '/'); - + if (s && s2) { if (s > s2) { ++s; @@ -942,6 +942,10 @@ } tmp++; } + /* Brackets should always be closed */ + if(c != 0) { + skip_upload = 1; + } } total_bytes = cancel_upload = 0; @@ -977,7 +981,7 @@ offset = 0; end = 0; - + if (!cancel_upload) { /* only bother to open temp file if we have data */ blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC); @@ -1275,7 +1279,7 @@ php_rfc1867_getword = getword; php_rfc1867_getword_conf = getword_conf; php_rfc1867_basename = basename; -} +} /* }}} */ /* Added: php/php-src/branches/PHP_5_4/tests/basic/bug55500.phpt =================================================================== --- php/php-src/branches/PHP_5_4/tests/basic/bug55500.phpt (rev 0) +++ php/php-src/branches/PHP_5_4/tests/basic/bug55500.phpt 2012-01-01 23:54:25 UTC (rev 321664) @@ -0,0 +1,67 @@ +--TEST-- +Bug #55500 (Corrupted $_FILES indices lead to security concern) +--INI-- +file_uploads=1 +error_reporting=E_ALL&~E_NOTICE +upload_max_filesize=1024 +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[]"; filename="file1.txt" +Content-Type: text/plain-file1 + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[[type]"; filename="file2.txt" +Content-Type: text/plain-file2 + +2 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[[name]"; filename="file3.txt" +Content-Type: text/plain-file3 + +3 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[name]["; filename="file4.txt" +Content-Type: text/plain-file3 + +4 +-----------------------------20896060251896012921717172737-- +--FILE-- +<?php +var_dump($_FILES); +var_dump($_POST); +?> +--EXPECTF-- +array(1) { + [%u|b%"file"]=> + array(5) { + [%u|b%"name"]=> + array(1) { + [0]=> + %unicode|string%(9) "file1.txt" + } + [%u|b%"type"]=> + array(1) { + [0]=> + %unicode|string%(16) "text/plain-file1" + } + [%u|b%"tmp_name"]=> + array(1) { + [0]=> + %unicode|string%(%d) "%s" + } + [%u|b%"error"]=> + array(1) { + [0]=> + int(0) + } + [%u|b%"size"]=> + array(1) { + [0]=> + int(1) + } + } +} +array(0) { +} Modified: php/php-src/trunk/main/rfc1867.c =================================================================== --- php/php-src/trunk/main/rfc1867.c 2012-01-01 23:51:21 UTC (rev 321663) +++ php/php-src/trunk/main/rfc1867.c 2012-01-01 23:54:25 UTC (rev 321664) @@ -556,7 +556,7 @@ { char *s = strrchr(path, '\\'); char *s2 = strrchr(path, '/'); - + if (s && s2) { if (s > s2) { ++s; @@ -942,6 +942,10 @@ } tmp++; } + /* Brackets should always be closed */ + if(c != 0) { + skip_upload = 1; + } } total_bytes = cancel_upload = 0; @@ -977,7 +981,7 @@ offset = 0; end = 0; - + if (!cancel_upload) { /* only bother to open temp file if we have data */ blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC); @@ -1275,7 +1279,7 @@ php_rfc1867_getword = getword; php_rfc1867_getword_conf = getword_conf; php_rfc1867_basename = basename; -} +} /* }}} */ /* Added: php/php-src/trunk/tests/basic/bug55500.phpt =================================================================== --- php/php-src/trunk/tests/basic/bug55500.phpt (rev 0) +++ php/php-src/trunk/tests/basic/bug55500.phpt 2012-01-01 23:54:25 UTC (rev 321664) @@ -0,0 +1,67 @@ +--TEST-- +Bug #55500 (Corrupted $_FILES indices lead to security concern) +--INI-- +file_uploads=1 +error_reporting=E_ALL&~E_NOTICE +upload_max_filesize=1024 +--POST_RAW-- +Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[]"; filename="file1.txt" +Content-Type: text/plain-file1 + +1 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[[type]"; filename="file2.txt" +Content-Type: text/plain-file2 + +2 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[[name]"; filename="file3.txt" +Content-Type: text/plain-file3 + +3 +-----------------------------20896060251896012921717172737 +Content-Disposition: form-data; name="file[name]["; filename="file4.txt" +Content-Type: text/plain-file3 + +4 +-----------------------------20896060251896012921717172737-- +--FILE-- +<?php +var_dump($_FILES); +var_dump($_POST); +?> +--EXPECTF-- +array(1) { + [%u|b%"file"]=> + array(5) { + [%u|b%"name"]=> + array(1) { + [0]=> + %unicode|string%(9) "file1.txt" + } + [%u|b%"type"]=> + array(1) { + [0]=> + %unicode|string%(16) "text/plain-file1" + } + [%u|b%"tmp_name"]=> + array(1) { + [0]=> + %unicode|string%(%d) "%s" + } + [%u|b%"error"]=> + array(1) { + [0]=> + int(0) + } + [%u|b%"size"]=> + array(1) { + [0]=> + int(1) + } + } +} +array(0) { +}
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php