From f5722d61b42c9867e524066de2c767aead570f91 Mon Sep 17 00:00:00 2001
From: Stefan Esser <sesser@php.net>
Date: Sun, 12 Sep 2004 10:46:27 +0000
Subject: [PATCH] MFH

---
 main/rfc1867.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/main/rfc1867.c b/main/rfc1867.c
index 3843ff4710..28471d5179 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -939,6 +939,25 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 			} else {
 				is_anonymous = 0;
 			}
+			
+			/* New Rule: never repair potential malicious user input */
+			if (!skip_upload) {
+				char *tmp = param;
+				long c = 0;
+				
+				while (*tmp) {
+					if (*tmp == '[') {
+						c++;
+					} else if (*tmp == ']') {
+						c--;
+					}
+					if (c < 0) {
+						skip_upload = 1;
+						break;
+					}
+					tmp++;				
+				}
+			}
 
 			if (!skip_upload) {
 				/* Handle file */
@@ -1013,10 +1032,6 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 			 * start_arr is set to point to 1st [
 			 */
 			is_arr_upload =	(start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
-			/* handle unterminated [ */
-			if (!is_arr_upload && start_arr) {
-				*start_arr = '_';
-			}
 
 			if (is_arr_upload) {
 				array_len = strlen(start_arr);
-- 
2.50.1