Fix #77372: Retain full path of files for directory uploads (#6917)

To fix https://bugs.php.net/bug.php?id=77372 and improve support of `<input type="file" name="files" multiple webkitdirectory>` I introduced another item to the `$_FILES` array called `full_path`, containing the full filename, as supplied by the user-agent. Co-authored-by: Björn Tantau <bjoern@bjoern-tantau.de>
2025-08-15 21:48:51 +02:00 · 2021-05-14 11:43:55 +02:00 · 2021-05-14 11:43:55 +02:00 · d764f1dc12
commit d764f1dc12
parent 21422e8536
26 changed files with 238 additions and 49 deletions
--- a/ext/session/tests/rfc1867.phpt
+++ b/ext/session/tests/rfc1867.phpt
@ -54,9 +54,11 @@ string(%d) "rfc1867"
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -67,9 +69,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_cleanup.phpt
+++ b/ext/session/tests/rfc1867_cleanup.phpt
@ -54,9 +54,11 @@ string(%d) "rfc1867-cleanup"
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -67,9 +69,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_disabled.phpt
+++ b/ext/session/tests/rfc1867_disabled.phpt
@ -47,9 +47,11 @@ session_destroy();
 string(%d) "rfc1867-disabled"
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -60,9 +62,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_disabled_2.phpt
+++ b/ext/session/tests/rfc1867_disabled_2.phpt
@ -47,9 +47,11 @@ session_destroy();
 string(%d) "rfc1867-disabled-2"
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -60,9 +62,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_inter.phpt
+++ b/ext/session/tests/rfc1867_inter.phpt
@ -57,9 +57,11 @@ session_destroy();
 string(%d) "rfc1867-inter"
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -70,9 +72,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_no_name.phpt
+++ b/ext/session/tests/rfc1867_no_name.phpt
@ -47,9 +47,11 @@ session_destroy();
 string(%d) "rfc1867-no-name"
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -60,9 +62,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_sid_cookie.phpt
+++ b/ext/session/tests/rfc1867_sid_cookie.phpt
@ -53,9 +53,11 @@ string(%d) "rfc1867-sid-cookie"
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -66,9 +68,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_sid_get.phpt
+++ b/ext/session/tests/rfc1867_sid_get.phpt
@ -51,9 +51,11 @@ string(%d) "rfc1867-sid-get"
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -64,9 +66,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_sid_get_2.phpt
+++ b/ext/session/tests/rfc1867_sid_get_2.phpt
@ -53,9 +53,11 @@ string(%d) "rfc1867-sid-get-2"
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -66,9 +68,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_sid_invalid.phpt
+++ b/ext/session/tests/rfc1867_sid_invalid.phpt
@ -65,9 +65,11 @@ string(%d) ""
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -78,9 +80,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_sid_only_cookie.phpt
+++ b/ext/session/tests/rfc1867_sid_only_cookie.phpt
@ -53,9 +53,11 @@ string(%d) "rfc1867-sid-only-cookie"
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -66,9 +68,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_sid_only_cookie_2.phpt
+++ b/ext/session/tests/rfc1867_sid_only_cookie_2.phpt
@ -50,9 +50,11 @@ string(%d) "%s"
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -63,9 +65,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/ext/session/tests/rfc1867_sid_post.phpt
+++ b/ext/session/tests/rfc1867_sid_post.phpt
@ -49,9 +49,11 @@ string(%d) "rfc1867-sid-post"
 bool(true)
 array(2) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -62,9 +64,11 @@ array(2) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@ -55,7 +55,7 @@ PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **
 static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, bool override_protection);
 /* The longest property name we use in an uploaded file array */
-#define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
+#define MAX_SIZE_OF_INDEX sizeof("[full_path]")
 /* The longest anonymous name */
 #define MAX_SIZE_ANONNAME 33
@ -1142,9 +1142,20 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 				snprintf(lbuf, llen, "%s[name]", param);
 			}
 			register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0);
 			efree(filename);
 			s = NULL;
 			/* Add full path of supplied file for folder uploads via 
 			 * <input type="file" name="files" multiple webkitdirectory>
 			 */
 			/* Add $foo[full_path] */
 			if (is_arr_upload) {
 				snprintf(lbuf, llen, "%s[full_path][%s]", abuf, array_index);
 			} else {
 				snprintf(lbuf, llen, "%s[full_path]", param);
 			}
 			register_http_post_files_variable(lbuf, filename, &PG(http_globals)[TRACK_VARS_FILES], 0);
 			efree(filename);
 			/* Possible Content-Type: */
 			if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
 				cd = "";
--- a/sapi/cli/tests/php_cli_server_005.phpt
+++ b/sapi/cli/tests/php_cli_server_005.phpt
@ -52,9 +52,11 @@ Content-type: text/html; charset=UTF-8
 array(1) {
  ["userfile"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(12) "laruence.txt"
    ["full_path"]=>
    string(12) "laruence.txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
--- a/tests/basic/021.phpt
+++ b/tests/basic/021.phpt
@ -24,9 +24,11 @@ var_dump($_POST);
 --EXPECTF--
 array(1) {
  ["pics"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(12) "bug37276.txt"
    ["full_path"]=>
    string(12) "bug37276.txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
--- a/tests/basic/029.phpt
+++ b/tests/basic/029.phpt
@ -32,9 +32,11 @@ var_dump($_POST);
 --EXPECTF--
 array(1) {
  ["pics"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
--- a/tests/basic/bug55500.phpt
+++ b/tests/basic/bug55500.phpt
@ -36,12 +36,17 @@ var_dump($_POST);
 --EXPECTF--
 array(1) {
  ["file"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    array(1) {
      [0]=>
      string(9) "file1.txt"
    }
    ["full_path"]=>
    array(1) {
      [0]=>
      string(9) "file1.txt"
    }
    ["type"]=>
    array(1) {
      [0]=>
--- a/tests/basic/rfc1867_anonymous_upload.phpt
+++ b/tests/basic/rfc1867_anonymous_upload.phpt
@ -25,9 +25,11 @@ var_dump($_POST);
 --EXPECTF--
 array(2) {
  [%d]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(16) "text/plain-file1"
    ["tmp_name"]=>
@ -38,9 +40,11 @@ array(2) {
    int(1)
  }
  [%d]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(16) "text/plain-file2"
    ["tmp_name"]=>
--- a/tests/basic/rfc1867_array_upload.phpt
+++ b/tests/basic/rfc1867_array_upload.phpt
@ -30,7 +30,7 @@ var_dump($_POST);
 --EXPECTF--
 array(1) {
  ["file"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    array(3) {
      [0]=>
@ -40,6 +40,15 @@ array(1) {
      [3]=>
      string(9) "file3.txt"
    }
    ["full_path"]=>
    array(3) {
      [0]=>
      string(9) "file1.txt"
      [2]=>
      string(9) "file2.txt"
      [3]=>
      string(9) "file3.txt"
    }
    ["type"]=>
    array(3) {
      [0]=>
--- a/tests/basic/rfc1867_empty_upload.phpt
+++ b/tests/basic/rfc1867_empty_upload.phpt
@ -40,9 +40,11 @@ if (is_uploaded_file($_FILES["file3"]["tmp_name"])) {
 --EXPECTF--
 array(3) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(16) "text/plain-file1"
    ["tmp_name"]=>
@ -53,9 +55,11 @@ array(3) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(0) ""
    ["full_path"]=>
    string(0) ""
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -66,9 +70,11 @@ array(3) {
    int(0)
  }
  ["file3"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file3.txt"
    ["full_path"]=>
    string(9) "file3.txt"
    ["type"]=>
    string(16) "text/plain-file3"
    ["tmp_name"]=>
--- a/tests/basic/rfc1867_max_file_size.phpt
+++ b/tests/basic/rfc1867_max_file_size.phpt
@ -40,9 +40,11 @@ if (is_uploaded_file($_FILES["file3"]["tmp_name"])) {
 --EXPECTF--
 array(3) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(16) "text/plain-file1"
    ["tmp_name"]=>
@ -53,9 +55,11 @@ array(3) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -66,9 +70,11 @@ array(3) {
    int(0)
  }
  ["file3"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file3.txt"
    ["full_path"]=>
    string(20) "C:\foo\bar/file3.txt"
    ["type"]=>
    string(16) "text/plain-file3"
    ["tmp_name"]=>
--- a/tests/basic/rfc1867_max_file_uploads_empty_files.phpt
+++ b/tests/basic/rfc1867_max_file_uploads_empty_files.phpt
@ -40,9 +40,11 @@ if (is_uploaded_file($_FILES["file4"]["tmp_name"])) {
 --EXPECTF--
 array(4) {
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(0) ""
    ["full_path"]=>
    string(0) ""
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -53,9 +55,11 @@ array(4) {
    int(0)
  }
  ["file3"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(0) ""
    ["full_path"]=>
    string(0) ""
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -66,9 +70,11 @@ array(4) {
    int(0)
  }
  ["file4"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file4.txt"
    ["full_path"]=>
    string(9) "file4.txt"
    ["type"]=>
    string(15) "text/plain-file"
    ["tmp_name"]=>
@ -79,9 +85,11 @@ array(4) {
    int(0)
  }
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(15) "text/plain-file"
    ["tmp_name"]=>
--- a/tests/basic/rfc1867_missing_boundary_2.phpt
+++ b/tests/basic/rfc1867_missing_boundary_2.phpt
@ -18,9 +18,11 @@ var_dump($_POST);
 --EXPECT--
 array(1) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
--- a/tests/basic/rfc1867_multiple_webkitdirectory.phpt
+++ b/tests/basic/rfc1867_multiple_webkitdirectory.phpt
@ -0,0 +1,74 @@
 --TEST--
 Request #77372 (Relative file path is removed from uploaded file)
 --INI--
 file_uploads=1
 upload_max_filesize=1024
 max_file_uploads=10
 --POST_RAW--
 Content-Type: multipart/form-data; boundary=---------------------------64369134225794159231042985467
 -----------------------------64369134225794159231042985467
 Content-Disposition: form-data; name="files[]"; filename="directory/subdirectory/file2.txt"
 Content-Type: text/plain
 2
 -----------------------------64369134225794159231042985467
 Content-Disposition: form-data; name="files[]"; filename="directory/file1.txt"
 Content-Type: text/plain
 1
 -----------------------------64369134225794159231042985467--
 --FILE--
 <?php
 var_dump($_FILES);
 var_dump($_POST);
 ?>
 --EXPECTF--
 array(1) {
  ["files"]=>
  array(6) {
    ["name"]=>
    array(2) {
      [0]=>
      string(9) "file2.txt"
      [1]=>
      string(9) "file1.txt"
    }
    ["full_path"]=>
    array(2) {
      [0]=>
      string(32) "directory/subdirectory/file2.txt"
      [1]=>
      string(19) "directory/file1.txt"
    }
    ["type"]=>
    array(2) {
      [0]=>
      string(10) "text/plain"
      [1]=>
      string(10) "text/plain"
    }
    ["tmp_name"]=>
    array(2) {
      [0]=>
      string(%d) "%s"
      [1]=>
      string(%d) "%s"
    }
    ["error"]=>
    array(2) {
      [0]=>
      int(0)
      [1]=>
      int(0)
    }
    ["size"]=>
    array(2) {
      [0]=>
      int(1)
      [1]=>
      int(1)
    }
  }
 }
 array(0) {
 }
--- a/tests/basic/rfc1867_post_max_filesize.phpt
+++ b/tests/basic/rfc1867_post_max_filesize.phpt
@ -36,9 +36,11 @@ if (is_uploaded_file($_FILES["file3"]["tmp_name"])) {
 --EXPECTF--
 array(3) {
  ["file1"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file1.txt"
    ["full_path"]=>
    string(9) "file1.txt"
    ["type"]=>
    string(16) "text/plain-file1"
    ["tmp_name"]=>
@ -49,9 +51,11 @@ array(3) {
    int(1)
  }
  ["file2"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file2.txt"
    ["full_path"]=>
    string(9) "file2.txt"
    ["type"]=>
    string(0) ""
    ["tmp_name"]=>
@ -62,9 +66,11 @@ array(3) {
    int(0)
  }
  ["file3"]=>
-  array(5) {
+  array(6) {
    ["name"]=>
    string(9) "file3.txt"
    ["full_path"]=>
    string(9) "file3.txt"
    ["type"]=>
    string(16) "text/plain-file3"
    ["tmp_name"]=>