Index: file.inc =================================================================== --- file.inc (revision 46) +++ file.inc (working copy) @@ -193,7 +193,7 @@ } // If a file was uploaded, process it. - if ($_FILES["files"]["name"][$source] && is_uploaded_file($_FILES["files"]["tmp_name"][$source])) { + if ($_FILES["files"]["name"][$source]) { // Check for file upload errors and return FALSE if a // lower level system error occurred. @@ -219,37 +219,53 @@ return 0; } - // Begin building file object. - $file = new stdClass(); - $file->filename = trim(basename($_FILES["files"]["name"][$source]), '.'); + if (!is_uploaded_file($_FILES["files"]["tmp_name"][$source])) { + + // no error was picked up by $_FILES["files"]["error"], but php doesn't think this "is_uploaded_file" + // @see http://php.net/is_uploaded_file + // ...which suggests that if this test fails, there's a "Possible file upload attack" + watchdog('file', t('Possible file upload attack: %file failed is_uploaded_file test', array('%file' => $_FILES["files"]["tmp_name"][$source])), + WATCHDOG_WARNING, l('http://php.net/is_uploaded_file', 'http://php.net/is_uploaded_file')); + // slightly milder error message for users + drupal_set_message(t('The file %file could not be saved. An unknown error has occurred.', array('%file' => $source)),'error'); + return 0; + } + else { - // Create temporary name/path for newly uploaded files. On Windows, tempnam() - // requires an absolute path, so we use realpath(). - $file->filepath = tempnam(realpath(file_directory_temp()), 'tmp_'); + // no errors - $file->filemime = $_FILES["files"]["type"][$source]; - - // Rename potentially executable files, to help prevent exploits. - if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) { - $file->filemime = 'text/plain'; - $file->filepath .= '.txt'; - $file->filename .= '.txt'; + // Begin building file object. + $file = new stdClass(); + $file->filename = trim(basename($_FILES["files"]["name"][$source]), '.'); + + // Create temporary name/path for newly uploaded files. On Windows, tempnam() + // requires an absolute path, so we use realpath(). + $file->filepath = tempnam(realpath(file_directory_temp()), 'tmp_'); + + $file->filemime = $_FILES["files"]["type"][$source]; + + // Rename potentially executable files, to help prevent exploits. + if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) { + $file->filemime = 'text/plain'; + $file->filepath .= '.txt'; + $file->filename .= '.txt'; + } + + // Move uploaded files from php's upload_tmp_dir to Drupal's file temp. + // This overcomes open_basedir restrictions for future file operations. + if (!move_uploaded_file($_FILES["files"]["tmp_name"][$source], $file->filepath)) { + drupal_set_message(t('File upload error. Could not move uploaded file.')); + watchdog('file', t('Upload Error. Could not move uploaded file (%file) to destination (%destination).', array('%file' => $_FILES["files"]["tmp_name"][$source], '%destination' => $file->filepath))); + return FALSE; + } + + $file->filesize = $_FILES["files"]["size"][$source]; + $file->source = $source; + + // Add processed file to the cache. + $upload_cache[$source] = $file; + return $file; } - - // Move uploaded files from php's upload_tmp_dir to Drupal's file temp. - // This overcomes open_basedir restrictions for future file operations. - if (!move_uploaded_file($_FILES["files"]["tmp_name"][$source], $file->filepath)) { - drupal_set_message(t('File upload error. Could not move uploaded file.')); - watchdog('file', t('Upload Error. Could not move uploaded file (%file) to destination (%destination).', array('%file' => $_FILES["files"]["tmp_name"][$source], '%destination' => $file->filepath))); - return FALSE; - } - - $file->filesize = $_FILES["files"]["size"][$source]; - $file->source = $source; - - // Add processed file to the cache. - $upload_cache[$source] = $file; - return $file; } else {