On Sun, Feb 16, 2020 at 6:24 PM Craig Francis <cr...@craigfrancis.co.uk> wrote:
> Just to check, at the moment, if I was an evil hacker, and was to run: > > curl -F 'file=@example.jpg;filename=../../../example.php' > https://example.com/upload/ > > The $_FILES['file']['name'] would be set to "example.php", where PHP has > removed the leading "../../../" (good to see). > > Does that happen simply because of this IE fix, where it uses _basename() > in the PHP source: > > > https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1144 Mostly, it seems. _basename will either be php_ap_basename[1] or php_mb_rfc1867_basename[2], and both of those handle the base name functionality regardless of platform. The comment's a little misleading, though. The original implementation[3] had a magic quotes check when compiled under WIN32, and that's what the comment's talking about. The comment's not saying that the basename call itself is for Windows only. [1]: https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L558 [2]: https://github.com/php/php-src/blob/2e97ae91c8ac404be00050eef414b555aba45a1c/ext/mbstring/mbstring.c#L852 [3]: https://github.com/php/php-src/blob/7ee1fdb657f2a6da65087552e6dda8cf2f4bd1ef/main/rfc1867.c#L1088
