- Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename)

  Reported by: kkotowicz at gmail dot com

2 files changed, 4 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 81402dc52a..d86221fc30 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,8 @@ PHP                                                                        NEWS
     and an --man-dir argument to php-config. (Hannes)
 
   . Fixed a crash inside dtor for error handling. (Ilia)
+  . Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload
+    filename). (Felipe) Reported by Krzysztof Kotowicz.
 
   . Fixed bug #54935 php_win_err can lead to crash. (Pierre)
   . Fixed bug #54924 (assert.* is not being reset upon request shutdown). (Ilia)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 4a0900b0f4..e05412aeef 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -1223,7 +1223,7 @@ filedone:
 #endif
 
 			if (!is_anonymous) {
-				if (s && s > filename) {
+				if (s && s >= filename) {
 					safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
 				} else {
 					safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
@@ -1236,7 +1236,7 @@ filedone:
 			} else {
 				snprintf(lbuf, llen, "%s[name]", param);
 			}
-			if (s && s > filename) {
+			if (s && s >= filename) {
 				register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
 			} else {
 				register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);