fix bug #54374, bug #55500 - filter file names better, no dangling [s

diff --git a/main/rfc1867.c b/main/rfc1867.c
index eca8e2d2fa548521faba5386e536f5ce6f2a22c9..b848126b2a9e1b4b87d4c47f7289cb95237f3b2f 100644 (file)
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -556,7 +556,7 @@ static char *php_ap_basename(const zend_encoding *encoding, char *path TSRMLS_DC
 {
        char *s = strrchr(path, '\\');
        char *s2 = strrchr(path, '/');
-       
+
        if (s && s2) {
                if (s > s2) {
                        ++s;
@@ -942,6 +942,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
                                        }
                                        tmp++;
                                }
+                               /* Brackets should always be closed */
+                               if(c != 0) {
+                                       skip_upload = 1;
+                               }
                        }
 
                        total_bytes = cancel_upload = 0;
@@ -977,7 +981,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 
                        offset = 0;
                        end = 0;
-                       
+
                        if (!cancel_upload) {
                                /* only bother to open temp file if we have data */
                                blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
@@ -1275,7 +1279,7 @@ SAPI_API void php_rfc1867_set_multibyte_callbacks(
        php_rfc1867_getword = getword;
        php_rfc1867_getword_conf = getword_conf;
        php_rfc1867_basename = basename;
-}      
+}
 /* }}} */
 
 /*

diff --git a/tests/basic/bug55500.phpt b/tests/basic/bug55500.phpt
new file mode 100644 (file)
index 0000000..22bc131
--- /dev/null
+++ b/tests/basic/bug55500.phpt
@@ -0,0 +1,67 @@
+--TEST--
+Bug #55500 (Corrupted $_FILES indices lead to security concern)
+--INI--
+file_uploads=1
+error_reporting=E_ALL&~E_NOTICE
+upload_max_filesize=1024
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[]"; filename="file1.txt"
+Content-Type: text/plain-file1
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[type]"; filename="file2.txt"
+Content-Type: text/plain-file2
+
+2
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[name]"; filename="file3.txt"
+Content-Type: text/plain-file3
+
+3
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[name]["; filename="file4.txt"
+Content-Type: text/plain-file3
+
+4
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_FILES);
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  [%u|b%"file"]=>
+  array(5) {
+    [%u|b%"name"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(9) "file1.txt"
+    }
+    [%u|b%"type"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(16) "text/plain-file1"
+    }
+    [%u|b%"tmp_name"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(%d) "%s"
+    }
+    [%u|b%"error"]=>
+    array(1) {
+      [0]=>
+      int(0)
+    }
+    [%u|b%"size"]=>
+    array(1) {
+      [0]=>
+      int(1)
+    }
+  }
+}
+array(0) {
+}