Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:12641
Return-Path: <hartmut@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 31554 invoked by uid 1010); 8 Sep 2004 00:16:30 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 25068 invoked from network); 8 Sep 2004 00:15:10 -0000
Received: from unknown (HELO mailgate.mysql.com) (213.136.52.47)
  by pb1.pair.com with SMTP; 8 Sep 2004 00:15:10 -0000
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mailgate.mysql.com (8.12.10/8.12.10) with ESMTP id i880F9oa002834;
	Wed, 8 Sep 2004 02:15:09 +0200
Received: from mail.mysql.com ([10.222.1.99])
 by localhost (mailgate.mysql.com [10.222.1.98]) (amavisd-new, port 10026)
 with LMTP id 01445-02; Wed,  8 Sep 2004 02:15:08 +0200 (CEST)
Received: from [192.168.1.2] (mailsend.mysql.com [10.100.1.123])
	(authenticated bits=0)
	by mail.mysql.com (8.12.10/8.12.10) with ESMTP id i880EwIb005299;
	Wed, 8 Sep 2004 02:14:58 +0200
Message-ID: <413E4F2C.7020103@php.net>
Date: Wed, 08 Sep 2004 02:15:40 +0200
Reply-To: hartmut@php-groupies.de
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a3) Gecko/20040817
X-Accept-Language: en, de
MIME-Version: 1.0
To: Stefan Esser <sesser@php.net>
CC: internals@lists.php.net
References: <413DFA6C.1070705@php.net>
In-Reply-To: <413DFA6C.1070705@php.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at mailgate.mysql.com
Subject: Re: [PHP-DEV] PHP Documentation Problem 100th time
From: hartmut@php.net (Hartmut Holzgraefe)

Stefan Esser wrote:
> Example 34-2. Validating file uploads
> 
> Is still showing a bullshit example. It constructs a destination path 
> for move_uploaded_file() that consists of user input. There is no sanity 
> check on it like removing / and .. sequences.

Would you agree that aplying basename() would be ok as a quick fix?

   $uploadfile .= basename($_FILES['userfile']['name']);

instead of

   $uploadfile = $uploaddir . $_FILES['userfile']['name'];

?

(in the long run i should voluntere to rewrite this, folding in
  information of my former magazine article on securing uploads ...)

-- 
Hartmut Holzgraefe  <hartmut@php.net>