From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 20 Jan 2005 17:57:41 +0000 (+0000)
Subject: MFH: Fixed bug #31398 (When magic_guotes_gpc are enabled filenames with '
X-Git-Tag: php-4.3.11RC1~124
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4ff3a50a06530b80208ee46fe08fef00234ed421;p=php

MFH: Fixed bug #31398 (When magic_guotes_gpc are enabled filenames with '
get cutoff).
---

diff --git a/NEWS b/NEWS
index ec92a6ecf7..b8e9582af7 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ PHP 4                                                                      NEWS
 - Fixed bug #31174 (compile warning in url.c). (Ilia, lukem at NetBSD dot org)
 - Fixed bug #31159 (COM object access is not working). (Wez)
 - Fixed bug #31142 (imap_mail_compose() fails to generate correct output). (Ilia)
+- Fixed bug #31398 (When magic_guotes_gpc are enabled filenames with ' get cutoff).
+  (Ilia)
 - Fixed bug #31120 (mssql_query returns false on successfull inserts and 
   stored procedures). (Frank)
 - Fixed bugs #31107, #31110, #31111 (Compile failure of zend_strtod.c). (Jani)
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 9ee87aa874..1f28cf3997 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -1085,7 +1085,7 @@ PHPAPI char *php_basename(char *s, size_t len, char *suffix, size_t sufflen)
 #endif
 		)
 		c--;
-	if (c < s+len-1) {
+	if (c+1 >= s && c < s+len-1) {
 		buf = *(c + 1);  /* Save overwritten char */
 		*(c + 1) = '\0'; /* overwrite char */
 		p = c + 1;       /* Save pointer to overwritten char */
diff --git a/main/rfc1867.c b/main/rfc1867.c
index c2abf2e9f7..16de12166c 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -31,6 +31,7 @@
 #include "php_globals.h"
 #include "php_variables.h"
 #include "rfc1867.h"
+#include "ext/standard/php_string.h"
 
 #undef DEBUG_FILE_UPLOAD
 
@@ -842,7 +843,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 	while (!multipart_buffer_eof(mbuff TSRMLS_CC))
 	{
 		char buff[FILLUNIT];
-		char *cd=NULL,*param=NULL,*filename=NULL, *tmp=NULL;
+		char *cd=NULL,*param=NULL,*filename=NULL;
 		int blen=0, wlen=0;
 
 		zend_llist_clean(&header);
@@ -1064,30 +1065,13 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 					str_len = strlen(filename);
 					php_mb_gpc_encoding_converter(&filename, &str_len, 1, NULL, NULL TSRMLS_CC);
 				}
-				s = php_mb_strrchr(filename, '\\' TSRMLS_CC);
-				if ((tmp = php_mb_strrchr(filename, '/' TSRMLS_CC)) > s) {
-					s = tmp;
-				}
 				num_vars--;
-			} else {
-				s = strrchr(filename, '\\');
-				if ((tmp = strrchr(filename, '/')) > s) {
-					s = tmp;
-				}
-			}
-#else
-			s = strrchr(filename, '\\');
-			if ((tmp = strrchr(filename, '/')) > s) {
-				s = tmp;
 			}
 #endif
-			if (PG(magic_quotes_gpc)) {
-				s = s ? s : filename;
-				tmp = strrchr(s, '\'');
-				s = tmp > s ? tmp : s;
-				tmp = strrchr(s, '"');
-				s = tmp > s ? tmp : s;
-			}
+			/* ensure that the uploaded file name only contains the path */
+			s = php_basename(filename, strlen(filename), NULL, 0);
+			efree(filename);
+			filename = s;
 
 			if (s && s > filename) {
 				safe_php_register_variable(lbuf, s+1, NULL, 0 TSRMLS_CC);