Home Original page

basename function doesn't remove drive letter

Bug #66395 basename function doesn't remove drive letter
Submitted: 2014-01-03 07:12 UTC Modified: 2014-01-05 18:30 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: php at tokumaru dot org Assigned: ab (profile)
Status: Closed Package: Filesystem function related
PHP Version: 5.5.7 OS: Windows
Private report: No CVE-ID: None

 [2014-01-03 07:12 UTC] php at tokumaru dot org

Description:
------------
basename function doesn't remove drive letter(example C:) on WIndows.
if path includes directory separator characters('\' or '/'), basename function returns trailing name component of path.
But, if path doesn't include directory separator characters, basename function returns file name with drive letter.


Test script:
---------------
echo basename('c:autoexec.bat');

Expected result:
----------------
autoexec.bat

Actual result:
--------------
c:autoexec.bat

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2014-01-03 21:46 UTC] ab@php.net

-Status: Open +Status: Closed

 [2014-01-03 22:09 UTC] ab@php.net

-Assigned To: +Assigned To: ab

 [2014-01-05 12:46 UTC] php at tokumaru dot org

Thank you for the the bug fix.
However, this bug fix still has a problem.
The new basename function returns "c:autoexec.bat" for "c:c:autoexec.bat".
Basename function is used for directory traversal attack protection, so this behavior is not good.
The colon character(:) in NTFS file name is used to express NTFS stream, but PHP cannot treat NTFS streams.
Therefore, I think that the colon character(:) should be treated in the same way as a slash(/) and a backslash(\).

 [2014-01-05 18:30 UTC] ab@php.net

Thanks very much for staying on this, further fix is applied to 5.4+ http://git.php.net/?p=php-src.git;a=commitdiff;h=3f7f72adb25786f51e7907e0d37f2e25bd5cf3dd . Your traversal idea is brilliant :)

Btw. PHP can read NTFS streams, I didn't check the code yet, but a small snippet like basename("c:/somewhere/hello:world") worked in 5.4 . That's why it were wrong to handle ':' as directory separator. The implementation always checks for X:, char+colon therefore.

Thanks.