From 75fa63b57fc8df45e3b7b4ae5a1e50a169b171cd Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipe@php.net>
Date: Sun, 12 Jun 2011 15:14:18 +0000
Subject: - Fixed bug #54939 (File path injection vulnerability in RFC1867 File
 upload filename)   Reported by: kkotowicz at gmail dot com

---
 main/rfc1867.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'main')

diff --git a/main/rfc1867.c b/main/rfc1867.c
index 4a0900b0f4..e05412aeef 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -1223,7 +1223,7 @@ filedone:
 #endif
 
 			if (!is_anonymous) {
-				if (s && s > filename) {
+				if (s && s >= filename) {
 					safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
 				} else {
 					safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
@@ -1236,7 +1236,7 @@ filedone:
 			} else {
 				snprintf(lbuf, llen, "%s[name]", param);
 			}
-			if (s && s > filename) {
+			if (s && s >= filename) {
 				register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
 			} else {
 				register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);
-- 
cgit v1.2.1