Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:108624
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55532 invoked from network); 17 Feb 2020 01:09:03 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 17 Feb 2020 01:09:03 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1486A18050A
	for <internals@lists.php.net>; Sun, 16 Feb 2020 15:24:20 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 16 Feb 2020 15:24:19 -0800 (PST)
Received: by mail-wm1-f47.google.com with SMTP id p9so15367258wmc.2
        for <internals@lists.php.net>; Sun, 16 Feb 2020 15:24:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:from:date:message-id:subject:to;
        bh=/IuD0XN6/PtYD1H9jaXK+vbgLhgvvfK/hyKx0OC4STA=;
        b=fNBLQ5Chqjb5OlLP6ObYClGVC1vX9SjXseGxsd66F4tjW51Gwf7n/IqIkPu/wuqI1D
         S2L2ties6XLwQ83CZ7+nP+mpUzKAKUkQkSoelTzZxKNt/VYTq6/mQGk951gBGUHX8WDE
         e6xq6sZIBLDmFvuRxFlurHfJp1rPlxtPCt/So=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=/IuD0XN6/PtYD1H9jaXK+vbgLhgvvfK/hyKx0OC4STA=;
        b=Ldo1SmlZg+OY0ISoVMQoAdogRRYFNw0y9aJR1IAMU2cSO+mrA9edF32erSbWfx8Uud
         /pgm7Rk0zGp6nOV8XnPSU4BqDikYQ5sCRFfKhIMONvmr+kMu5YTkr5LjIgmOL8tuZdRC
         ktlg+hmX+bPgnVvz/+q3B8UEmXNLgmyv89iImK4AP8+UNK3J6cNvZpwDCCTIVdTctQhI
         1A2wTY3ldklbgeE91TfmfeFsm+3iXqiRQWf2yj5rGbfn9uLOYBJmecDw7eiPN3qOjD1t
         UbW8/Glx48juUS5yLMp/U0umQXJgi9qe0UfgCaH/uY++/FmM36QAFw/7o9epH5p7z485
         GIJA==
X-Gm-Message-State: APjAAAUfSzI2ATGN7mmyGSgj/Cpn9VtWfpfe7ndR4AzbEoPs5ghAYP79
	JEEDMM2PGdypR64ssNgYFpB7GozSf6gUPAsDy5CcDwrBzh8=
X-Google-Smtp-Source: APXvYqyxkWFhhkcmocorcjwhPfGRXfMUIXO6K4VHdmn2D+Lfn1R9KQ0W/oPgQvffKwlgybMbsDHdtbZ72tNWnKnlblI=
X-Received: by 2002:a05:600c:20e:: with SMTP id 14mr18175735wmi.104.1581895456292;
 Sun, 16 Feb 2020 15:24:16 -0800 (PST)
MIME-Version: 1.0
Date: Sun, 16 Feb 2020 23:24:05 +0000
Message-ID: <CAFv4g+Ecztuzf_WZXzJ=PNK2R8nSND2mB9eWrR4Z7+5OaVb+hg@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000be953a059eb9bc04"
Subject: $_FILES['name'] check
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000be953a059eb9bc04
Content-Type: text/plain; charset="UTF-8"

Hi,

Just to check, at the moment, if I was an evil hacker, and was to run:

curl -F 'file=@example.jpg;filename=../../../example.php'
https://example.com/upload/

The $_FILES['file']['name'] would be set to "example.php", where PHP has
removed the leading "../../../" (good to see).

Does that happen simply because of this IE fix, where it uses _basename()
in the PHP source:

https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1144

Craig

--000000000000be953a059eb9bc04--