Details
-
Bug
-
Status: Closed (View Workflow)
-
Trivial
-
Resolution: Invalid
-
3.1.9
-
None
-
None
-
PHP 5.6.24, Firefox 47.0.1
Description
If I create a simple upload page, like this:
<?php
define('IN_PHPBB', true);
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './phpBB3/';
$phpEx = substr(strrchr(_FILE_, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Test</title>
</head><body>
<?php
if ($request->is_set_post('submit'))Unknown macro: { $fnames=$request->file('myfiles'); var_dump($fnames); }?>
<form method="post" enctype="multipart/form-data">
<p>Upload Files: <input type="file" name="myfiles[]" multiple>
<p><input type=submit name="submit" value="Upload">
</form>
</body>
</html>
I select 3 files. It returns with:
array(5) { ["name"]=> string(4) "none" ["type"]=> string(4) "none" ["tmp_name"]=> string(4) "none" ["error"]=> string(4) "none" ["size"]=> string(4) "none" }
However, if I comment out "$this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $trim);" on line 409 of phpbb/request/request.php, it correctly produces:
array(5) { ["name"]=> array(3) { [0]=> string(11) "file1.WAV" [1]=> string(22) "file2.zip" [2]=> string(7) "file3.docx" } ["type"]=> array(3) { [0]=> string(11) "audio/x-wav" [1]=> string(15) "application/zip" [2]=> string(71) "application/vnd.openxmlformats-officedocument.wordprocessingml.document" } ["tmp_name"]=> array(3) { [0]=> string(14) "/tmp/phpyunc4u" [1]=> string(14) "/tmp/phpYjL8Vl" [2]=> string(14) "/tmp/phpSoH6Nc" } ["error"]=> array(3) { [0]=> int(0) [1]=> int(0) [2]=> int(0) } ["size"]=> array(3) { [0]=> int(9355) [1]=> int(10284) [2]=> int(11022) } }
Of course, commenting out set_var defeats most (all?) of the input security, so this is Very Bad. Since this doesn't directly affect the functioning of phpBB, I'm not sure how much time you'd like to devote to this. I've looked at recursive_set_var() and I'm not sure if I follow it yet.
Anyway, let me know if this is a simple fix.
Thanks.
Sincerely,
Bortman