Uploaded in Windows environment

In earlier versions of PHP, uploading files was probably done with the following code:

......
if (isset ($_files[' file ')) {
$tmp _name = $_files[' file ' [' Tmp_name '];
}
if (file_exists ($tmp _name)) {
Copy ($tmp _name, $destfile);
}
......

But it is very likely that a $_files[' file ' array will be forged, and if tmp_name content is designated as the content of sensitive information such as/ETC/PASSWD, security issues can easily arise. PHP solves the problem with Is_uploaded_file () and Move_uploaded_file () in later versions, with Is_uploaded_file () not only checking $_files[' file ' [' Tmp_name '] exists and checks whether $_files[' file ' [' Tmp_name '] is an uploaded file, making it impossible to forge the $_files variable because the script will check the $_files[' file ' [' Tmp_name '] It is not the time PHP upload to terminate execution. Has
forgery become impossible? In a lot of scripts I see the initial part of the @extract ($_post) and so on to ensure that the program in the register globals in the environment can continue to run, such an environment we can easily forge $_files array, even the original $_ The files array is covered, but it is difficult to completely forge a $_files array because you cannot spare is_uploaded_file () and Move_uploaded_file (). But in WINDOWS under the PHP environment test, we found that the PHP temporary file is very regular, is C:\WINDOWS\TEMP\php93.tmp this format, upload the file name will be C:\WINDOWS\TEMP\ Phpxxxxxx.tmp This format change, where xxxxxx is a hexadecimal number, and is incremented in order, which means that if the temporary file name of the upload is C:\WINDOWS\TEMP\php93.tmp, the next time it will be C:\WINDOWS\ temp\php94.tmp, temporary file names become regular. But we may not know what the current file name is, which can be leaked through the error mechanism of PHP itself, such as if we copy the temporary files to a directory without permission or if the files contain file system prohibited characters in the target file, the current temporary file name can be leaked. Of course, the premise is no error suppression processing.
So how do you forgive Is_uploaded_file () and Move_uploaded_file ()? Look at the code in the Is_uploaded_file () section of PHP:

Php_function (Is_uploaded_file)
{
Zval **path;
if (! SG (Rfc1867_uploaded_files)) {
Return_false;
}
if (Zend_num_args ()!= 1 | | | ZEND_GET_PARAMETERS_EX (1, &path)!= SUCCESS) {
Zend_wrong_param_count ();
}
CONVERT_TO_STRING_EX (path);
if (Zend_hash_exists (SG (Rfc1867_uploaded_files), z_strval_pp (path), z_strlen_pp (path) +1)) {
Return_true;
} else {
Return_false;
}
}

It is looked up from the current rfc1867_uploaded_files hash table to see if the current filename exists. Where Rfc1867_uploaded_files saved the current PHP script run by the system and PHP generated by the file upload variables and content. If it exists, the specified filename is indeed uploaded, or No.
PHP has a very strange feature is that when you submit an upload form, PHP before processing the file has been uploaded to the temporary directory, until the end of the PHP script will be destroyed. In other words, even if you submit such a form to a PHP script that does not accept the $_filse variable, the $_filse variable will still be generated and the file will be uploaded to the temp directory first. The problem arises. The following script might be able to illustrate this issue:

?
$a =$_files[' attach ' [' tmp_name '];
echo $a. " .............";
$file = ' c:\\windows\\temp\\php95.tmp ';
Echo $file;
if (Is_uploaded_file ($file)) echo ' .......... Yes ';
?>

Where C:\\windows\\temp\\php95.tmp is the name of the temporary file I guess, when we tested the script we had to upload a file to it or 100 files, making one of the temporary files named c:\\windows\\temp\\ Php95.tmp. If the script has a extract operation at the moment, we can easily forge a $_files variable. Don't you? You might want to ask what is the effect of a forged $_files variable, we can produce the original program does not allow the file name, PHP processing upload will be the original file name has a similar to the basename () operation, but once you can forge after we can easily within the filename add \ Ah. /Ah, wait, anything you like.
The actual use may be a bit harsh, but it is also a bit of a flaw in PHP, hehe.