Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:108673 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 3699 invoked from network); 19 Feb 2020 18:33:59 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 19 Feb 2020 18:33:59 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 2FAE218053D for ; Wed, 19 Feb 2020 08:49:56 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 19 Feb 2020 08:49:55 -0800 (PST) Received: by mail-wr1-f50.google.com with SMTP id t3so1336480wru.7 for ; Wed, 19 Feb 2020 08:49:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CBJ6nuRwyAUyqLmihXbJgks9PHjG1ZUSZcSTT6BQdIE=; b=Mvwb9qLMJKSRxwNYddVyDv2eEzii94X12kJUvIREJuo3aKzIPF8tcJ7YLR+fQHpgI/ ZyAQTMpRL21Ot7Fiy7J+sJ1ZrvJXW5BB7dyUYLESEdnJBpwBzEKIIr9Q+OAAXeyiPAUr AmMjPzz3dArCrbB85D02+mLaqFt95WF1xbrGY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CBJ6nuRwyAUyqLmihXbJgks9PHjG1ZUSZcSTT6BQdIE=; b=jZFlzsaH1LqPCaMHM5Ze0o3sZxMjn/3U5bswVvxGSE/jIOQYq7dlQL6TKpFasGYc2N ap5haMJt4LZT1seOl03yL8W3qaz4aHAaexUgTd3Yunhxwq7IkqW+wu+1kib0u+eBL/ax 47+0ijpfgcKZEkcPo099aZDWlg0pJWEBClLbZss5ryGFipirh9tXdQp/4NItbY/jaW+g /9E/7wBpCFc3tEno4j8CTdSwMSpOZXWb8eiT+Y7ip0FQKyLJmGX7jXvaBcrDDykt+rr8 sFw/Orh/jMNekRswCeqhbyA3AH3BnikXKq8MHKHReIWas00nr8MEzbzlHE6Rshim0tIm q7RQ== X-Gm-Message-State: APjAAAXY/vYLi6OV4juaGanDARIcVpjoNcVtzgs+KXOQR9wdvcHGubUn YHZLd3TozF6KGs2GrbdavCntbBJIa9PCOKTl/4sQwQ== X-Google-Smtp-Source: APXvYqxNh2B68nfjYeRNOzghBq4Zi4+Qgy8J7nt43TzLFBTpaSC68TkgAZpngvdMf6ulNrV7buu6GpelJ+TpzOZw2QQ= X-Received: by 2002:a5d:5152:: with SMTP id u18mr36404034wrt.214.1582130993593; Wed, 19 Feb 2020 08:49:53 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Wed, 19 Feb 2020 16:49:42 +0000 Message-ID: To: Bishop Bettini Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000dcb299059ef093d5" Subject: Re: [PHP-DEV] $_FILES['name'] check From: craig@craigfrancis.co.uk (Craig Francis) --000000000000dcb299059ef093d5 Content-Type: text/plain; charset="UTF-8" On Wed, 19 Feb 2020 at 16:42, Bishop Bettini wrote: > On Wed, Feb 19, 2020 at 10:29 AM Craig Francis > wrote: > >> On Wed, 19 Feb 2020 at 05:23, Bishop Bettini wrote: >> >>> On Sun, Feb 16, 2020 at 6:24 PM Craig Francis >>> wrote: >>> >>>> Just to check, at the moment, if I was an evil hacker, and was to run: >>>> >>>> curl -F 'file=@example.jpg;filename=../../../example.php' >>>> https://example.com/upload/ >>>> >>>> The $_FILES['file']['name'] would be set to "example.php", where PHP has >>>> removed the leading "../../../" (good to see). >>>> >>>> Does that happen simply because of this IE fix, where it uses >>>> _basename() >>>> in the PHP source: >>>> >>>> >>>> https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1144 >>> >>> >>> Mostly, it seems. _basename will either be php_ap_basename[1] or >>> php_mb_rfc1867_basename[2], and both of those handle the base name >>> functionality regardless of platform. >>> >>> The comment's a little misleading, though. The original >>> implementation[3] had a magic quotes check when compiled under WIN32, and >>> that's what the comment's talking about. The comment's not saying that the >>> basename call itself is for Windows only. >>> >>> [1]: >>> https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L558 >>> [2]: >>> https://github.com/php/php-src/blob/2e97ae91c8ac404be00050eef414b555aba45a1c/ext/mbstring/mbstring.c#L852 >>> [3]: >>> https://github.com/php/php-src/blob/7ee1fdb657f2a6da65087552e6dda8cf2f4bd1ef/main/rfc1867.c#L1088 >>> >> >> >> >> Thanks Bishop, >> >> That's interesting, so the comment probably should be updated. >> >> I don't think it matters where PHP is compiled, as I'm more focused on >> what the browser sends to the server. >> >> Personally I'd like the comment to mention the security value it >> provides, as I've seen a few systems that don't >> pass $_FILES["file"]["name"] though basename(); and if this behaviour was >> to change (e.g. when "IE's user base drops to nill"), that would introduce >> a problem. >> >> >> https://stackoverflow.com/questions/18929178/move-uploaded-file-function-is-not-working >> > > I've updated this comment ([1]) to reflect that basename-ing is mandatory > for RFC 7857 multipart/form-data processing of filename parameters ([2]). > > Thank you for helping improve PHP! > > [1]: > https://github.com/php/php-src/commit/fb57ae9084a98ac5f06cd7b2d10205489b537e20 > [2]:https://tools.ietf.org/html/rfc7578 > Thanks again Bishop. --000000000000dcb299059ef093d5--