File: CVE-2012-1172.patch

package info (click to toggle)
php5 5.3.3-7%2Bsqueeze19
  • links: PTS, VCS
  • area: main
  • in suites: squeeze
  • size: 122,836 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (84 lines) | stat: -rw-r--r-- 1,949 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -1008,6 +1008,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
 					}
 					tmp++;
 				}
+				/* Brackets should always be closed */
+				if(c != 0) {
+					skip_upload = 1;
+				}
 			}
 
 			total_bytes = cancel_upload = 0;
--- /dev/null
+++ b/tests/basic/bug55500.phpt
@@ -0,0 +1,68 @@
+--TEST--
+Bug #55500 (Corrupted $_FILES indices lead to security concern)
+--INI--
+file_uploads=1
+error_reporting=E_ALL&~E_NOTICE
+upload_max_filesize=1024
+max_file_uploads=10
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[]"; filename="file1.txt"
+Content-Type: text/plain-file1
+
+1
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[type]"; filename="file2.txt"
+Content-Type: text/plain-file2
+
+2
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[[name]"; filename="file3.txt"
+Content-Type: text/plain-file3
+
+3
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="file[name]["; filename="file4.txt"
+Content-Type: text/plain-file3
+
+4
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_FILES);
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  [%u|b%"file"]=>
+  array(5) {
+    [%u|b%"name"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(9) "file1.txt"
+    }
+    [%u|b%"type"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(16) "text/plain-file1"
+    }
+    [%u|b%"tmp_name"]=>
+    array(1) {
+      [0]=>
+      %unicode|string%(%d) "%s"
+    }
+    [%u|b%"error"]=>
+    array(1) {
+      [0]=>
+      int(0)
+    }
+    [%u|b%"size"]=>
+    array(1) {
+      [0]=>
+      int(1)
+    }
+  }
+}
+array(0) {
+}