Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:30347 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52920 invoked by uid 1010); 28 Jun 2007 20:01:18 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 52902 invoked from network); 28 Jun 2007 20:01:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jun 2007 20:01:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:4892] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 67/F1-21924-B8314864 for ; Thu, 28 Jun 2007 16:01:16 -0400 Received: (qmail 86432 invoked by uid 98); 28 Jun 2007 20:01:03 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-2.01 (clamdscan: 0.88.7/3545. Clear:RC:1(127.0.0.1):. Processed in 0.073264 secs); 28 Jun 2007 20:01:03 -0000 Received: from localhost (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 28 Jun 2007 20:01:03 -0000 Received: from 216.230.84.67 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Thu, 28 Jun 2007 15:01:03 -0500 (CDT) Message-ID: <47745.216.230.84.67.1183060863.squirrel@www.l-i-e.com> Date: Thu, 28 Jun 2007 15:01:03 -0500 (CDT) To: "Tim Starling" Cc: internals@lists.php.net Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] Bug 38245: magic_quotes_gpc and $_FILES From: ceo@l-i-e.com ("Richard Lynch") On Tue, June 19, 2007 5:19 am, Tim Starling wrote: > Can someone explain the closing comment on this bug report to me? > > http://bugs.php.net/bug.php?id=38245 > > Surely in a addslashes-escaped string, \\ is the Windows directory > separator, not \. > > The bug clearly describes irreversible corruption of upload filenames > by > PHP. I just had a report of it in a MediaWiki context, and I can't > believe that it wouldn't be considered a bug. Coming in late, but there has been no response I can see so far... You may also want to test with magic_quotes_gpc *OFF* and see if that makes a difference. I'm not sure why basename would be applied at all, since the browser only sends the basename of the file anyway, no? Perhaps, however, this is to avoid "hacks" that upload files with bogus filenames in attempts to do evil things... Even so, the basename should/could be applied before the magic quotes, I should think. On the plus side, if this bug gets people to turn OFF Magic Quotes, that's a net gain. :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?