makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/9615] magic_quotes_gpc: call stripslashes() before utf8_basename()

Browse source 
When magic_quotes_gpc is 'On' it also affects the $_FILES array and a filename
like 'bantu"s testfile.txt' will be returned as 'bantu\"s testfile.txt'.

Because utf8_basename() also strips off anything before the last backslash
the filename was returned as '"s testfile.txt'.

Calling stripslashes() before utf8_basename() solves the problem.

PHPBB3-9615
This commit is contained in:
Andreas Fischer 2010-08-04 12:35:19 +02:00
parent e1328e87ce
commit dd63f57344
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
phpBB/includes/functions_upload.php
View file

@ -58,8 +58,9 @@ class filespec
$this->filename = $upload_ary['tmp_name']; $this->filename = $upload_ary['tmp_name'];
$this->filesize = $upload_ary['size']; $this->filesize = $upload_ary['size'];
$name = trim(utf8_htmlspecialchars(utf8_basename($upload_ary['name']))); $name = (STRIP) ? stripslashes($upload_ary['name']) : $upload_ary['name'];
$this->realname = $this->uploadname = (STRIP) ? stripslashes($name) : $name; $name = trim(utf8_htmlspecialchars(utf8_basename($name)));
$this->realname = $this->uploadname = $name;
$this->mimetype = $upload_ary['type']; $this->mimetype = $upload_ary['type'];
// Opera adds the name to the mime type // Opera adds the name to the mime type