- Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename)

  Reported by: kkotowicz at gmail dot com

diff --git a/NEWS b/NEWS
index 81402dc52a1292d3e60f47f3a69db551ef8fe4cd..d86221fc3014f9e08fbfc06ea9e3ffa5c5caa30f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,8 @@ PHP                                                                        NEWS
     and an --man-dir argument to php-config. (Hannes)
 
   . Fixed a crash inside dtor for error handling. (Ilia)
+  . Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload
+    filename). (Felipe) Reported by Krzysztof Kotowicz.
 
   . Fixed bug #54935 php_win_err can lead to crash. (Pierre)
   . Fixed bug #54924 (assert.* is not being reset upon request shutdown). (Ilia)

diff --git a/main/rfc1867.c b/main/rfc1867.c
index 4a0900b0f4e527c3ff82959418f4558918ce3b6a..e05412aeef5aff45b3d1ce03d13e5d9ee201c40b 100644 (file)
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -1223,7 +1223,7 @@ filedone:
 #endif
 
                        if (!is_anonymous) {
-                               if (s && s > filename) {
+                               if (s && s >= filename) {
                                        safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
                                } else {
                                        safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
@@ -1236,7 +1236,7 @@ filedone:
                        } else {
                                snprintf(lbuf, llen, "%s[name]", param);
                        }
-                       if (s && s > filename) {
+                       if (s && s >= filename) {
                                register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
                        } else {
                                register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);