diff options
| author | Felipe Pena <felipe@php.net> | 2011-06-12 15:14:18 +0000 |
|---|---|---|
| committer | Felipe Pena <felipe@php.net> | 2011-06-12 15:14:18 +0000 |
| commit | 75fa63b57fc8df45e3b7b4ae5a1e50a169b171cd (patch) | |
| tree | 2177c04e44cd5002969bd719c198592fc358281c /main | |
| parent | bb16e23891bc8b464dd42a809fea6547566f13e9 (diff) | |
| download | php-git-75fa63b57fc8df45e3b7b4ae5a1e50a169b171cd.tar.gz | |
- Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename)
Reported by: kkotowicz at gmail dot com
Diffstat (limited to 'main')
| -rw-r--r-- | main/rfc1867.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/main/rfc1867.c b/main/rfc1867.c index 4a0900b0f4..e05412aeef 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -1223,7 +1223,7 @@ filedone: #endif if (!is_anonymous) { - if (s && s > filename) { + if (s && s >= filename) { safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); } else { safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); @@ -1236,7 +1236,7 @@ filedone: } else { snprintf(lbuf, llen, "%s[name]", param); } - if (s && s > filename) { + if (s && s >= filename) { register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); } else { register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC); |