Friends who have some knowledge of the PHP language know that it contains a powerful library of functions. Let's take a look at the specific features of the PHP uploaded_files function today.
In earlier versions of PHP, uploading files was probably done with the following code:
Copy CodeThe code is as follows:
......
if (isset ($_files[' file ')) {
$tmp _name = $_files[' file ' [' Tmp_name '];
}
if (file_exists ($tmp _name)) {
Copy ($tmp _name, $destfile);
}
......
But it is likely to be forged a $_files[' file ' array, and if tmp_name content is designated as the content of sensitive information such as/ETC/PASSWD, security issues can easily arise. PHP solves this problem with Is_uploaded_file () and Move_uploaded_file () in later versions, and the PHP uploaded_files function will not only check $_files[' file '] [' tmp_name '] exists and checks whether $_files[' file ' [' Tmp_name '] is an uploaded file, making it impossible to forge the $_files variable because the script will check the $_files[' file ' [' Tmp_name '] It is not the time PHP upload to terminate execution.
Has forgery become impossible? In a lot of scripts I see the initial part of the @extract ($_post) and so on to ensure that the program in the register globals in the environment can continue to run, such an environment we can easily forge $_files array, even the original $_ The files array is covered, but it is difficult to completely forge a $_files array because you cannot spare is_uploaded_file () and Move_uploaded_file ().
But in WINDOWS under the PHP environment test, we found that the PHP temporary file is very regular, is C:\WINDOWS \temp\php93.tmp this format, upload the file name will be C:\WINDOWS\TEMP\ Phpxxxxxx.tmp This format change, where xxxxxx is a hexadecimal number, and is incremented in order, which means that if the temporary file name of the upload is C:\WINDOWS\TEMP\PHP93.tmp, the next time it will be C:\WINDOWS\ temp\php94.tmp, temporary file names become regular.
But we may not know what the current file name is, this can be leaked through the error mechanism of PHP itself, such as we copy the temporary files to a directory with no permissions or the target file contains the file system prohibited characters can be the current temporary file name to disclose, of course, if No error suppression processing.
So how do you forgive Is_uploaded_file () and Move_uploaded_file ()? Look at the code in the PHP uploaded_files function section:
Copy CodeThe code is as follows:
Php_function (Is_uploaded_file)
{
Zval **path;
if (! SG (Rfc1867_uploaded_files)) {
Return_false;
}
if (Zend_num_args ()!= 1 zend_get_parameters_ex (1, &path)!= SUCCESS) {
Zend_wrong_param_count ();
}
CONVERT_TO_STRING_EX (path);
if (Zend_hash_exists (SG (Rfc1867_uploaded_files), z_strval_pp (path), z_strlen_pp (path) +1)) {
Return_true;
} else {
Return_false;
}
}
It is looked up from the current rfc1867_uploaded_files hash table to see if the current filename exists. Where Rfc1867_uploaded_files saved the current PHP script run by the system and PHP generated by the file upload variables and content. If it exists, the specified filename is indeed uploaded, or No.
PHP has a very strange feature is that when you submit an upload form, PHP before processing the file has been uploaded to the temporary directory, until the end of the PHP script will be destroyed. In other words, even if you submit such a form to a PHP script that does not accept the $_filse variable, the $_filse variable will still be generated and the file will be uploaded to the temp directory first. The problem arises. The following script might be able to illustrate this issue:
Copy CodeThe code is as follows:
<?
$a =$_files[' attach ' [' tmp_name '];
echo $a. " .............”;
$file = ' c:\\windows\\temp\\php95.tmp ';
Echo $file;
if (Is_uploaded_file ($file)) echo ' .......... Yes ';
?>
Where C:\\windows\\temp\\php95.tmp is the name of the temporary file I guess, when we tested the script we had to upload a file to it or 100 files, making one of the temporary files named c:\\windows\\temp\\ Php95.tmp. If the script has a extract operation at the moment, we can easily forge a $_files variable.
Don't you? You might want to ask what is the effect of a forged $_files variable, we can produce the original program does not allow the file name, PHP processing upload will be the original file name has a similar to the basename () operation, but once you can forge after we can easily within the filename add \ Ah. /Ah, wait, anything you like.
The actual use of PHP uploaded_files function may be a bit harsh, but it is also a bit of a flaw in PHP, hehe.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.