Quick-fix for the file upload security alert

author Rasmus Lerdorf <rasmus@php.net>

Mon, 4 Sep 2000 05:09:46 +0000 (05:09 +0000)

committer Rasmus Lerdorf <rasmus@php.net>

Mon, 4 Sep 2000 05:09:46 +0000 (05:09 +0000)
author Rasmus Lerdorf <rasmus@php.net>
Mon, 4 Sep 2000 05:09:46 +0000 (05:09 +0000)
committer Rasmus Lerdorf <rasmus@php.net>
Mon, 4 Sep 2000 05:09:46 +0000 (05:09 +0000)
diff --git a/main/rfc1867.c b/main/rfc1867.c

index 5401af72d112b495656ab522f0dd7720ee31f1eb..eb1171c2b36c9dfabcb32235eb3abda59c527ad9 100644 (file)
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -64,7 +64,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
         int eolsize;
         long bytes, max_file_size = 0;
         char *namebuf=NULL, *filenamebuf=NULL, *lbuf=NULL, 
-                *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL;
+                *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL, *sbuf=NULL;
         FILE *fp;
         int itype, is_arr_upload=0, arr_len=0;
         zval *http_post_files=NULL;
@@ -172,8 +172,10 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
                                                 }
                                                 abuf = estrndup(namebuf, strlen(namebuf)-arr_len);
                                                 sprintf(lbuf, "%s_name[%s]", abuf, arr_index);
+                                               sbuf = estrdup(abuf);
                                         } else {
                                                 sprintf(lbuf, "%s_name", namebuf);
+                                               sbuf = estrdup(abuf);
                                         }
                                         s = strrchr(filenamebuf, '\\');
                                         if (s && s > filenamebuf) {
@@ -252,7 +254,11 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
                                 }
                                 *(loc - 4) = '\0';
  
-                               php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
+                               /* Check to make sure we are not overwriting special file
+                                * upload variables */
+                               if(memcmp(namebuf,sbuf,strlen(sbuf))) {
+                                       php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
+                               }
  
                                 /* And a little kludge to pick out special MAX_FILE_SIZE */
                                 itype = php_check_ident_type(namebuf);
@@ -353,6 +359,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
                                 break;
                 }
         }
+       if(sbuf) efree(sbuf);
         SAFE_RETURN;
  }
author	Rasmus Lerdorf <rasmus@php.net>
	Mon, 4 Sep 2000 05:09:46 +0000 (05:09 +0000)
committer	Rasmus Lerdorf <rasmus@php.net>
	Mon, 4 Sep 2000 05:09:46 +0000 (05:09 +0000)