Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:108672
Return-Path: <bishop.bettini@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1047 invoked from network); 19 Feb 2020 18:26:20 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 19 Feb 2020 18:26:20 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 01C82180531
	for <internals@lists.php.net>; Wed, 19 Feb 2020 08:42:18 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <bishop.bettini@gmail.com>
Received: from mail-qt1-f176.google.com (mail-qt1-f176.google.com [209.85.160.176])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 19 Feb 2020 08:42:17 -0800 (PST)
Received: by mail-qt1-f176.google.com with SMTP id d9so638910qte.12
        for <internals@lists.php.net>; Wed, 19 Feb 2020 08:42:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
         :from:date:message-id:subject:to:cc;
        bh=IODIs2yPexGsTsSRYdodgoy3/lCb1Jsr2HSC1DRbmXY=;
        b=a2gKx+CkkVR+nwPA6GMK+bC+q4tahGy8f7MJMm77r+2wX0CRXBUAwGUWrKCRzvXCzL
         YNspAA8W/GR/ZFlhdpK5oFoSRwiL+Fc3/4vmVbh8N+G2BX2qGHH4D2ie7lsFsIPo8PZt
         nl4jlFVqPEsTsU9YsJfOMJJBhBpKGAcZNj+yVHVKXz8JDf16t87GDGAnmCb8UOcnEDIg
         NzpAZKlADdOhDkyL0VtTCfBSq+N79rJDtksNsEbhZhA4NCPir6YQmaWSeFuT+Vrw4HN3
         YkFcXmyfS/KDpZfC9qpNPWiLyLKoUmZgUVZ1U/QIg+DfeYz8vMi7gH/rvNDSKccOBKbO
         JcAQ==
X-Gm-Message-State: APjAAAXo+7FLYPL+HAa1EraetGIZxNU9R2QNkoiRkY+qzpK8OW9okJig
	+Ya3VPFEwk/mbMRzv8Qa7qZ/r9yb1kViBf82nhQ=
X-Google-Smtp-Source: APXvYqw1PGLA8cKzhmi4QNbD4x5+scWIiw9j2+s2lfwzquorx8tSTdj3jx4ldm1RROGRm84sJsorKLrKvWWHuaxm5H0=
X-Received: by 2002:ac8:198c:: with SMTP id u12mr23088307qtj.225.1582130536620;
 Wed, 19 Feb 2020 08:42:16 -0800 (PST)
MIME-Version: 1.0
References: <CAFv4g+Ecztuzf_WZXzJ=PNK2R8nSND2mB9eWrR4Z7+5OaVb+hg@mail.gmail.com>
 <CAEYWF=74Atwth0yX5dxR3ZJypVaG1xeYZHz6eV6LoS7gBLkeVg@mail.gmail.com> <CAFv4g+HMoE7YMSP=CWBO2WxxKrRaF5Gf6pZcdy_G57UC74Wjrw@mail.gmail.com>
In-Reply-To: <CAFv4g+HMoE7YMSP=CWBO2WxxKrRaF5Gf6pZcdy_G57UC74Wjrw@mail.gmail.com>
Reply-To: bishop@php.net
Date: Wed, 19 Feb 2020 11:41:41 -0500
Message-ID: <CAEYWF=76-8r6csd_x5NARDmV=BxneeD1y0Cof+4LuXDDEsQP2Q@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000009fa553059ef0788d"
Subject: Re: [PHP-DEV] $_FILES['name'] check
From: bishop@php.net (Bishop Bettini)

--0000000000009fa553059ef0788d
Content-Type: text/plain; charset="UTF-8"

On Wed, Feb 19, 2020 at 10:29 AM Craig Francis <craig@craigfrancis.co.uk>
wrote:

> On Wed, 19 Feb 2020 at 05:23, Bishop Bettini <bishop@php.net> wrote:
>
>> On Sun, Feb 16, 2020 at 6:24 PM Craig Francis <craig@craigfrancis.co.uk>
>> wrote:
>>
>>> Just to check, at the moment, if I was an evil hacker, and was to run:
>>>
>>> curl -F 'file=@example.jpg;filename=../../../example.php'
>>> https://example.com/upload/
>>>
>>> The $_FILES['file']['name'] would be set to "example.php", where PHP has
>>> removed the leading "../../../" (good to see).
>>>
>>> Does that happen simply because of this IE fix, where it uses _basename()
>>> in the PHP source:
>>>
>>>
>>> https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1144
>>
>>
>> Mostly, it seems. _basename will either be php_ap_basename[1] or
>> php_mb_rfc1867_basename[2], and both of those handle the base name
>> functionality regardless of platform.
>>
>> The comment's a little misleading, though. The original implementation[3]
>> had a magic quotes check when compiled under WIN32, and that's what the
>> comment's talking about. The comment's not saying that the basename call
>> itself is for Windows only.
>>
>> [1]:
>> https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L558
>> [2]:
>> https://github.com/php/php-src/blob/2e97ae91c8ac404be00050eef414b555aba45a1c/ext/mbstring/mbstring.c#L852
>> [3]:
>> https://github.com/php/php-src/blob/7ee1fdb657f2a6da65087552e6dda8cf2f4bd1ef/main/rfc1867.c#L1088
>>
>
>
>
> Thanks Bishop,
>
> That's interesting, so the comment probably should be updated.
>
> I don't think it matters where PHP is compiled, as I'm more focused on
> what the browser sends to the server.
>
> Personally I'd like the comment to mention the security value it provides,
> as I've seen a few systems that don't pass $_FILES["file"]["name"]
> though basename(); and if this behaviour was to change (e.g. when "IE's
> user base drops to nill"), that would introduce a problem.
>
>
> https://stackoverflow.com/questions/18929178/move-uploaded-file-function-is-not-working
>

I've updated this comment ([1]) to reflect that basename-ing is mandatory
for RFC 7857 multipart/form-data processing of filename parameters ([2]).

Thank you for helping improve PHP!

[1]:
https://github.com/php/php-src/commit/fb57ae9084a98ac5f06cd7b2d10205489b537e20
[2]:https://tools.ietf.org/html/rfc7578

--0000000000009fa553059ef0788d--