From 75fa63b57fc8df45e3b7b4ae5a1e50a169b171cd Mon Sep 17 00:00:00 2001 From: Felipe Pena Date: Sun, 12 Jun 2011 15:14:18 +0000 Subject: [PATCH] - Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename) Reported by: kkotowicz at gmail dot com --- NEWS | 2 ++ main/rfc1867.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 81402dc52a..d86221fc30 100644 --- a/NEWS +++ b/NEWS @@ -29,6 +29,8 @@ PHP NEWS and an --man-dir argument to php-config. (Hannes) . Fixed a crash inside dtor for error handling. (Ilia) + . Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload + filename). (Felipe) Reported by Krzysztof Kotowicz. . Fixed bug #54935 php_win_err can lead to crash. (Pierre) . Fixed bug #54924 (assert.* is not being reset upon request shutdown). (Ilia) diff --git a/main/rfc1867.c b/main/rfc1867.c index 4a0900b0f4..e05412aeef 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -1223,7 +1223,7 @@ filedone: #endif if (!is_anonymous) { - if (s && s > filename) { + if (s && s >= filename) { safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); } else { safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); @@ -1236,7 +1236,7 @@ filedone: } else { snprintf(lbuf, llen, "%s[name]", param); } - if (s && s > filename) { + if (s && s >= filename) { register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); } else { register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC); -- 2.50.1