From 9a581ab5d83731777af9ec1b03639091107b13a9 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Fri, 29 Sep 2006 12:54:34 +0000
Subject: [PATCH] fix for attack via FILES

---
 ChangeLog                      | 4 ++++
 libraries/grab_globals.lib.php | 9 ++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 312589cb9..6c0a79ef6 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@ phpMyAdmin - ChangeLog
 $Id$
 $Source$
 
+2006-09-29 Marc Delisle  <lem9@users.sourceforge.net>
+    * libraries/grab_globals.lib.php: fix attack via _FILES,
+      thanks to Stefan Esser
+
 2006-09-27 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/common.lib.php, /session.inc.php, /url_generating.lib.php:
       security fixes (announcement will come later),
diff --git a/libraries/grab_globals.lib.php b/libraries/grab_globals.lib.php
index 424a321c4..c45a505a4 100644
--- a/libraries/grab_globals.lib.php
+++ b/libraries/grab_globals.lib.php
@@ -91,9 +91,12 @@ if (! empty($_POST)) {
 }
 
 if (! empty($_FILES)) {
-    foreach ($_FILES as $name => $value) {
-        $$name = $value['tmp_name'];
-        ${$name . '_name'} = $value['name'];
+    $_valid_variables = preg_replace($GLOBALS['_import_blacklist'], '', array_keys($_FILES));
+    foreach ($_valid_variables as $name) {
+        if (strlen($name) != 0) {
+            $$name = $_FILES[$name]['tmp_name'];
+            ${$name . '_name'} = $_FILES[$name]['name'];
+        }
     }
     unset($name, $value);
 }