From 8ba543d012b901dec6dd048e45902c1c5d05fb96 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Fri, 29 Sep 2006 13:24:33 +0000
Subject: [PATCH] fix for attack via FILES

---
 ChangeLog                      | 2 ++
 libraries/grab_globals.lib.php | 9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index eefb4eb89..91eb09509 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,8 @@ $Source$
 2006-09-29 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/database_interface.lib.php, bug #1566904, typo in require,
       thanks to Björn Wiberg - bwiberg.
+    * libraries/grab_globals.lib.php: fix attack via _FILES,
+      thanks to Stefan Esser
 
 2006-09-27 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/.htaccess: remove potential vulnerability (allow from none),
diff --git a/libraries/grab_globals.lib.php b/libraries/grab_globals.lib.php
index 424a321c4..c45a505a4 100644
--- a/libraries/grab_globals.lib.php
+++ b/libraries/grab_globals.lib.php
@@ -91,9 +91,12 @@ if (! empty($_POST)) {
 }
 
 if (! empty($_FILES)) {
-    foreach ($_FILES as $name => $value) {
-        $$name = $value['tmp_name'];
-        ${$name . '_name'} = $value['name'];
+    $_valid_variables = preg_replace($GLOBALS['_import_blacklist'], '', array_keys($_FILES));
+    foreach ($_valid_variables as $name) {
+        if (strlen($name) != 0) {
+            $$name = $_FILES[$name]['tmp_name'];
+            ${$name . '_name'} = $_FILES[$name]['name'];
+        }
     }
     unset($name, $value);
 }