Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:108670
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89665 invoked from network); 19 Feb 2020 17:13:21 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 19 Feb 2020 17:13:21 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 615BD180539
	for <internals@lists.php.net>; Wed, 19 Feb 2020 07:29:16 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 19 Feb 2020 07:29:15 -0800 (PST)
Received: by mail-wm1-f53.google.com with SMTP id s144so616663wme.1
        for <internals@lists.php.net>; Wed, 19 Feb 2020 07:29:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=fMLCbRf+gPwcTM9T1bgJ4SOK4iutHOhVinvymj0yFZc=;
        b=dJkiXsCrexi6RvhS0TVltDZjpHwKHmHFw4c2ac/1seyi+CwcN8dDTx9apAM9yzU4cp
         tEXqR0QGWbPBabOKlLNCRrpLPDdN5TDKQ70av/HByjrI9fjk8WXdBdUBhW0bIWbah0eh
         I1CkkjizgfdW44au1//3WxbHexRuSWTGks2ms=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=fMLCbRf+gPwcTM9T1bgJ4SOK4iutHOhVinvymj0yFZc=;
        b=lLQ4y3kXT+kdoNFMO+JLbEm8KsIMVZG0DPatFERA56DbaanTkd/347G+Crx/L+1OWM
         KrKufDpJwBYQIFQOoU0Lk/76KdLXdR08RoDVruvYjvh73pnx+nV0qVJGRaAEv0MCK2X2
         PzPkKZIeB1hDMKW7WmxK8Dno21aj9ZGrmqogeFFgtiKMRZLvfZc4Zltc7kSOVyb3HUqJ
         BPpWNA6iahqFq5nFBqWnt1C6vM549ew8Q1x883/jHYEiQ7ay0QZ2qpqlSiKcBDEQ2a75
         8URnoHWbjbzoyESq31XE6RV07vM45JH1zOdvTB5HP/1wUCubolBOyf9J3rIZO3LcSCOr
         o/VQ==
X-Gm-Message-State: APjAAAVHIUuDVTiENQZKwEvBuIklHxWpOF8I66lkl7m3JwMSok7ntqhn
	407yUfhm07boI6gbeG74dcsprcPIx3vzbrqg5Xi3U6Rj
X-Google-Smtp-Source: APXvYqzD9oNRlvURPFyxENArN8wJbbuFpP+rstCrIv1Hu4e8tjwBnarMYQKG5lZOTswYrS9jOKE0QrlJfzTxW8H3WMI=
X-Received: by 2002:a7b:c958:: with SMTP id i24mr10830242wml.180.1582126150843;
 Wed, 19 Feb 2020 07:29:10 -0800 (PST)
MIME-Version: 1.0
References: <CAFv4g+Ecztuzf_WZXzJ=PNK2R8nSND2mB9eWrR4Z7+5OaVb+hg@mail.gmail.com>
 <CAEYWF=74Atwth0yX5dxR3ZJypVaG1xeYZHz6eV6LoS7gBLkeVg@mail.gmail.com>
In-Reply-To: <CAEYWF=74Atwth0yX5dxR3ZJypVaG1xeYZHz6eV6LoS7gBLkeVg@mail.gmail.com>
Date: Wed, 19 Feb 2020 15:29:00 +0000
Message-ID: <CAFv4g+HMoE7YMSP=CWBO2WxxKrRaF5Gf6pZcdy_G57UC74Wjrw@mail.gmail.com>
To: Bishop Bettini <bishop@php.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000361aae059eef73c3"
Subject: Re: [PHP-DEV] $_FILES['name'] check
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000361aae059eef73c3
Content-Type: text/plain; charset="UTF-8"

On Wed, 19 Feb 2020 at 05:23, Bishop Bettini <bishop@php.net> wrote:

> On Sun, Feb 16, 2020 at 6:24 PM Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>
>> Just to check, at the moment, if I was an evil hacker, and was to run:
>>
>> curl -F 'file=@example.jpg;filename=../../../example.php'
>> https://example.com/upload/
>>
>> The $_FILES['file']['name'] would be set to "example.php", where PHP has
>> removed the leading "../../../" (good to see).
>>
>> Does that happen simply because of this IE fix, where it uses _basename()
>> in the PHP source:
>>
>>
>> https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1144
>
>
> Mostly, it seems. _basename will either be php_ap_basename[1] or
> php_mb_rfc1867_basename[2], and both of those handle the base name
> functionality regardless of platform.
>
> The comment's a little misleading, though. The original implementation[3]
> had a magic quotes check when compiled under WIN32, and that's what the
> comment's talking about. The comment's not saying that the basename call
> itself is for Windows only.
>
> [1]:
> https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L558
> [2]:
> https://github.com/php/php-src/blob/2e97ae91c8ac404be00050eef414b555aba45a1c/ext/mbstring/mbstring.c#L852
> [3]:
> https://github.com/php/php-src/blob/7ee1fdb657f2a6da65087552e6dda8cf2f4bd1ef/main/rfc1867.c#L1088
>



Thanks Bishop,

That's interesting, so the comment probably should be updated.

I don't think it matters where PHP is compiled, as I'm more focused on what
the browser sends to the server.

Personally I'd like the comment to mention the security value it provides,
as I've seen a few systems that don't pass $_FILES["file"]["name"]
though basename(); and if this behaviour was to change (e.g. when "IE's
user base drops to nill"), that would introduce a problem.

https://stackoverflow.com/questions/18929178/move-uploaded-file-function-is-not-working

Craig

--000000000000361aae059eef73c3--