On Sun, December 3, 2006 4:39 am, MS P wrote: > Hi. There seems to be a minor error in the page > http://www.php.net/manual/en/features.file-upload.php. In Example 38-2 > "Validating file uploads", there is a line: > > $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); > > It looks like basename() is not required there. Because i found that > when i > upload a file using IE6 (IE6 includes the whole path to the uploaded > file, > see > http://jakarta.apache.org/commons/fileupload/faq.html#whole-path-from-IE), > the value of $_FILES['userfile']['name'] is a file name but not a > path. It > looks like php has taken the file name from the path automatically. (I > am > using php 5.2.0 and win2k.) Can someone check if i am correct? Thanks. There are probably other reasons to keep that there... For starters, IE is not the only browser, much less the only User Agent. In particular, I would presume somebody out there has crafted an evil uploader that sends paths like, oh, "../../../../../../etc/passwd" as the 'name' of the upload. If you are silly enough to blindly use that and overwrite your passwd file, well, there ya go. The 'name' field should not be trusted. It comes from tbe user, and anybody who can count past 10 with their shoes on could spoof it to any value they like, including malicious values. Plus, unless you check every single minor release version of PHP, you can't be sure it ALWAYS stripped the path out. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
