From c98e28795fc75abfcc1644217e2d5ef3b8b55e3e Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <lbarnaud@php.net>
Date: Mon, 20 Oct 2008 17:09:10 +0000
Subject: [PATCH] Fixed #46313 (Magic quotes broke $_FILES) # magic_quotes_gpc
 was disabled during registration of $_FILES["x"]["tmp_name"] # and
 $GLOBALS["x"] (which is tmp_name with register_globals enabled). This #
 caused "x" to not be escaped so there was 2 different keys for the same file
 # in $_FILES, one with tmp_name and the other without. # All other variables
 (name, size, etc) are registered with magic_quotes_gpc # untouched, both in
 $_FILES and $GLOBALS and I did not found a reason for # disabling it for
 tmp_name.

---
 main/rfc1867.c                |  4 ---
 tests/basic/bug46313-win.phpt | 62 +++++++++++++++++++++++++++++++++++
 tests/basic/bug46313.phpt     | 62 +++++++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+), 4 deletions(-)
 create mode 100644 tests/basic/bug46313-win.phpt
 create mode 100644 tests/basic/bug46313.phpt

diff --git a/main/rfc1867.c b/main/rfc1867.c
index a32abfc298..8d51a3f612 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -1283,8 +1283,6 @@ filedone:
 			/* Initialize variables */
 			add_protected_variable(param TSRMLS_CC);
 
-			magic_quotes_gpc = PG(magic_quotes_gpc);
-			PG(magic_quotes_gpc) = 0;
 			/* if param is of form xxx[.*] this will cut it to xxx */
 			if (!is_anonymous) {
 				safe_php_register_variable(param, temp_filename, strlen(temp_filename), NULL, 1 TSRMLS_CC);
@@ -1299,8 +1297,6 @@ filedone:
 			add_protected_variable(lbuf TSRMLS_CC);
 			register_http_post_files_variable(lbuf, temp_filename, http_post_files, 1 TSRMLS_CC);
 
-			PG(magic_quotes_gpc) = magic_quotes_gpc;
-
 			{
 				zval file_size, error_type;
 
diff --git a/tests/basic/bug46313-win.phpt b/tests/basic/bug46313-win.phpt
new file mode 100644
index 0000000000..276efe196f
--- /dev/null
+++ b/tests/basic/bug46313-win.phpt
@@ -0,0 +1,62 @@
+--TEST--
+Bug #46313 (Magic quotes broke $_FILES)
+--SKIPIF--
+<?php if(substr(PHP_OS, 0, 3) != "WIN") die("skip Windows-only test"); ?>
+--INI--
+magic_quotes_gpc=1
+file_uploads=1
+register_globals=1
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="o1'file"; filename="o1'file.png"
+Content-Type: text/plain-file1
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="o2'file"; filename="o2'file2.txt"
+Content-Type: text/plain-file2
+
+2
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_FILES);
+var_dump($GLOBALS["o1\'file_name"]);
+var_dump($GLOBALS["o1\'file_name"] === $_FILES["o1\'file"]["name"]);
+var_dump($GLOBALS["o1\'file"]);
+var_dump($GLOBALS["o1\'file"] === $_FILES["o1\'file"]["tmp_name"]);
+?>
+--EXPECTF--
+array(2) {
+  ["o1\'file"]=>
+  array(5) {
+    ["name"]=>
+    string(12) "o1"
+    ["type"]=>
+    string(16) "text/plain-file1"
+    ["tmp_name"]=>
+    string(14) "%s"
+    ["error"]=>
+    int(0)
+    ["size"]=>
+    int(1)
+  }
+  ["o2\'file"]=>
+  array(5) {
+    ["name"]=>
+    string(13) "o2"
+    ["type"]=>
+    string(16) "text/plain-file2"
+    ["tmp_name"]=>
+    string(14) "%s"
+    ["error"]=>
+    int(0)
+    ["size"]=>
+    int(1)
+  }
+}
+string(12) "o1"
+bool(true)
+string(%d) "%s"
+bool(true)
diff --git a/tests/basic/bug46313.phpt b/tests/basic/bug46313.phpt
new file mode 100644
index 0000000000..a293315777
--- /dev/null
+++ b/tests/basic/bug46313.phpt
@@ -0,0 +1,62 @@
+--TEST--
+Bug #46313 (Magic quotes broke $_FILES)
+--SKIPIF--
+<?php if(substr(PHP_OS, 0, 3) == "WIN") die("skip non-Windows test"); ?>
+--INI--
+magic_quotes_gpc=1
+file_uploads=1
+register_globals=1
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="o1'file"; filename="o1'file.png"
+Content-Type: text/plain-file1
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="o2'file"; filename="o2'file2.txt"
+Content-Type: text/plain-file2
+
+2
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_FILES);
+var_dump($GLOBALS["o1\'file_name"]);
+var_dump($GLOBALS["o1\'file_name"] === $_FILES["o1\'file"]["name"]);
+var_dump($GLOBALS["o1\'file"]);
+var_dump($GLOBALS["o1\'file"] === $_FILES["o1\'file"]["tmp_name"]);
+?>
+--EXPECTF--
+array(2) {
+  ["o1\'file"]=>
+  array(5) {
+    ["name"]=>
+    string(12) "o1\'file.png"
+    ["type"]=>
+    string(16) "text/plain-file1"
+    ["tmp_name"]=>
+    string(14) "%s"
+    ["error"]=>
+    int(0)
+    ["size"]=>
+    int(1)
+  }
+  ["o2\'file"]=>
+  array(5) {
+    ["name"]=>
+    string(13) "o2\'file2.txt"
+    ["type"]=>
+    string(16) "text/plain-file2"
+    ["tmp_name"]=>
+    string(14) "%s"
+    ["error"]=>
+    int(0)
+    ["size"]=>
+    int(1)
+  }
+}
+string(12) "o1\'file.png"
+bool(true)
+string(%d) "%s"
+bool(true)
-- 
2.40.0