felipe Sun, 12 Jun 2011 15:14:18 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=312103
Log: - Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename) Reported by: kkotowicz at gmail dot com Bug: http://bugs.php.net/54939 (error getting bug information) Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/main/rfc1867.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2011-06-12 15:03:18 UTC (rev 312102) +++ php/php-src/branches/PHP_5_3/NEWS 2011-06-12 15:14:18 UTC (rev 312103) @@ -29,6 +29,8 @@ and an --man-dir argument to php-config. (Hannes) . Fixed a crash inside dtor for error handling. (Ilia) + . Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload + filename). (Felipe) Reported by Krzysztof Kotowicz. . Fixed bug #54935 php_win_err can lead to crash. (Pierre) . Fixed bug #54924 (assert.* is not being reset upon request shutdown). (Ilia) Modified: php/php-src/branches/PHP_5_3/main/rfc1867.c =================================================================== --- php/php-src/branches/PHP_5_3/main/rfc1867.c 2011-06-12 15:03:18 UTC (rev 312102) +++ php/php-src/branches/PHP_5_3/main/rfc1867.c 2011-06-12 15:14:18 UTC (rev 312103) @@ -1223,7 +1223,7 @@ #endif if (!is_anonymous) { - if (s && s > filename) { + if (s && s >= filename) { safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); } else { safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); @@ -1236,7 +1236,7 @@ } else { snprintf(lbuf, llen, "%s[name]", param); } - if (s && s > filename) { + if (s && s >= filename) { register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); } else { register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
