<?php
ini_set('dsiplay_errors', 'On');
error_reporting(-1);
$i = array(
'save' => '1.png', // valide input
'dt' => '../../1.png', // directory traversal (dt)
'dt_url_e' => urlencode('../../1.png'), // dt url-encoded
'dt_durl_e' => urlencode(urlencode('../../1.png')), // dt double url-encoded
'dt_utf8' => '..%c0%af..%c0%af1.png', // dt utf-8 encoded
'dt_url_d' => urldecode('../../1.png'), // dt url decoded
'dt_nb_d' => '../../1.png%00', // dt with null byte
'dt_nb' => '../../1.png ', // dt with space char
);
foreach($i as $k=>$s) {
echo '----------------------------------'."\n";
echo '** case: '.$k."\n\n";
fi($s);
echo '----------------------------------'."\n\n";
}
function fi($s) {
$s_d = urldecode($s);
$p = pathinfo($s);
echo 'input: '.$s."\n";
echo 'input urldecoded: '.$s_d."\n";
echo 'realpath: '.realpath($s)."\n";
echo 'basename: '.basename($s)."\n";
echo 'realpath url-d: '.realpath($s_d)."\n";
echo 'basename url-d: '.basename($s_d)."\n";
var_dump($p);
}
- Output for 8.0.0 - 8.0.30, 8.1.0 - 8.1.28, 8.2.0 - 8.2.18, 8.3.0 - 8.3.6
- ----------------------------------
** case: save
input: 1.png
input urldecoded: 1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt_url_e
input: ..%2F..%2F1.png
input urldecoded: ../../1.png
realpath:
basename: ..%2F..%2F1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(15) "..%2F..%2F1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(11) "..%2F..%2F1"
}
----------------------------------
----------------------------------
** case: dt_durl_e
input: ..%252F..%252F1.png
input urldecoded: ..%2F..%2F1.png
realpath:
basename: ..%252F..%252F1.png
realpath url-d:
basename url-d: ..%2F..%2F1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(19) "..%252F..%252F1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(15) "..%252F..%252F1"
}
----------------------------------
----------------------------------
** case: dt_utf8
input: ..%c0%af..%c0%af1.png
input urldecoded: ..��..��1.png
realpath:
basename: ..%c0%af..%c0%af1.png
realpath url-d:
basename url-d: ..��..��1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(21) "..%c0%af..%c0%af1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(17) "..%c0%af..%c0%af1"
}
----------------------------------
----------------------------------
** case: dt_url_d
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt_nb_d
input: ../../1.png%00
input urldecoded: ../../1.png
realpath:
basename: 1.png%00
Fatal error: Uncaught ValueError: realpath(): Argument #1 ($path) must not contain any null bytes in /in/pD8R0:36
Stack trace:
#0 /in/pD8R0(36): realpath('../../1.png\x00')
#1 /in/pD8R0(21): fi('../../1.png%00')
#2 {main}
thrown in /in/pD8R0 on line 36
Process exited with code 255. - Output for 5.4.0 - 5.4.45, 5.5.0 - 5.5.38, 5.6.0 - 5.6.28, 7.0.0 - 7.0.20, 7.1.0 - 7.1.25, 7.2.0 - 7.2.33, 7.3.0 - 7.3.33, 7.4.0 - 7.4.33
- ----------------------------------
** case: save
input: 1.png
input urldecoded: 1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt_url_e
input: ..%2F..%2F1.png
input urldecoded: ../../1.png
realpath:
basename: ..%2F..%2F1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(15) "..%2F..%2F1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(11) "..%2F..%2F1"
}
----------------------------------
----------------------------------
** case: dt_durl_e
input: ..%252F..%252F1.png
input urldecoded: ..%2F..%2F1.png
realpath:
basename: ..%252F..%252F1.png
realpath url-d:
basename url-d: ..%2F..%2F1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(19) "..%252F..%252F1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(15) "..%252F..%252F1"
}
----------------------------------
----------------------------------
** case: dt_utf8
input: ..%c0%af..%c0%af1.png
input urldecoded: ..��..��1.png
realpath:
basename: ..%c0%af..%c0%af1.png
realpath url-d:
basename url-d: ..��..��1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(21) "..%c0%af..%c0%af1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(17) "..%c0%af..%c0%af1"
}
----------------------------------
----------------------------------
** case: dt_url_d
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt_nb_d
input: ../../1.png%00
input urldecoded: ../../1.png
realpath:
basename: 1.png%00
Warning: realpath() expects parameter 1 to be a valid path, string given in /in/pD8R0 on line 36
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(8) "1.png%00"
["extension"]=>
string(6) "png%00"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt_nb
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(6) "1.png "
["extension"]=>
string(4) "png "
["filename"]=>
string(1) "1"
}
----------------------------------
- Output for 5.2.0 - 5.2.17, 5.3.0 - 5.3.29
- ----------------------------------
** case: save
input: 1.png
input urldecoded: 1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt_url_e
input: ..%2F..%2F1.png
input urldecoded: ../../1.png
realpath:
basename: ..%2F..%2F1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(15) "..%2F..%2F1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(11) "..%2F..%2F1"
}
----------------------------------
----------------------------------
** case: dt_durl_e
input: ..%252F..%252F1.png
input urldecoded: ..%2F..%2F1.png
realpath:
basename: ..%252F..%252F1.png
realpath url-d:
basename url-d: ..%2F..%2F1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(19) "..%252F..%252F1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(15) "..%252F..%252F1"
}
----------------------------------
----------------------------------
** case: dt_utf8
input: ..%c0%af..%c0%af1.png
input urldecoded: ..��..��1.png
realpath:
basename: ..%c0%af..%c0%af1.png
realpath url-d:
basename url-d: ..��..��1.png
array(4) {
["dirname"]=>
string(1) "."
["basename"]=>
string(21) "..%c0%af..%c0%af1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(17) "..%c0%af..%c0%af1"
}
----------------------------------
----------------------------------
** case: dt_url_d
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt_nb_d
input: ../../1.png%00
input urldecoded: ../../1.png
realpath:
basename: 1.png%00
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(8) "1.png%00"
["extension"]=>
string(6) "png%00"
["filename"]=>
string(1) "1"
}
----------------------------------
----------------------------------
** case: dt_nb
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(4) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(6) "1.png "
["extension"]=>
string(4) "png "
["filename"]=>
string(1) "1"
}
----------------------------------
- Output for 5.0.0 - 5.0.5, 5.1.0 - 5.1.6
- ----------------------------------
** case: save
input: 1.png
input urldecoded: 1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(1) "."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_url_e
input: ..%2F..%2F1.png
input urldecoded: ../../1.png
realpath:
basename: ..%2F..%2F1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(1) "."
["basename"]=>
string(15) "..%2F..%2F1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_durl_e
input: ..%252F..%252F1.png
input urldecoded: ..%2F..%2F1.png
realpath:
basename: ..%252F..%252F1.png
realpath url-d:
basename url-d: ..%2F..%2F1.png
array(3) {
["dirname"]=>
string(1) "."
["basename"]=>
string(19) "..%252F..%252F1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_utf8
input: ..%c0%af..%c0%af1.png
input urldecoded: ..��..��1.png
realpath:
basename: ..%c0%af..%c0%af1.png
realpath url-d:
basename url-d: ..��..��1.png
array(3) {
["dirname"]=>
string(1) "."
["basename"]=>
string(21) "..%c0%af..%c0%af1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_url_d
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_nb_d
input: ../../1.png%00
input urldecoded: ../../1.png
realpath:
basename: 1.png%00
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(8) "1.png%00"
["extension"]=>
string(6) "png%00"
}
----------------------------------
----------------------------------
** case: dt_nb
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(6) "1.png "
["extension"]=>
string(4) "png "
}
----------------------------------
- Output for 4.3.0 - 4.3.11, 4.4.0 - 4.4.9
- ----------------------------------
** case: save
input: 1.png
input urldecoded: 1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(1) "."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_url_e
input: ..%2F..%2F1.png
input urldecoded: ../../1.png
realpath:
basename: ..%2F..%2F1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(1) "."
["basename"]=>
string(15) "..%2F..%2F1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_durl_e
input: ..%252F..%252F1.png
input urldecoded: ..%2F..%2F1.png
realpath:
basename: ..%252F..%252F1.png
realpath url-d:
basename url-d: ..%2F..%2F1.png
array(3) {
["dirname"]=>
string(1) "."
["basename"]=>
string(19) "..%252F..%252F1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_utf8
input: ..%c0%af..%c0%af1.png
input urldecoded: ..��..��1.png
realpath:
basename: ..%c0%af..%c0%af1.png
realpath url-d:
basename url-d: ..��..��1.png
array(3) {
["dirname"]=>
string(1) "."
["basename"]=>
string(21) "..%c0%af..%c0%af1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_url_d
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(5) "1.png"
["extension"]=>
string(3) "png"
}
----------------------------------
----------------------------------
** case: dt_nb_d
input: ../../1.png%00
input urldecoded: ../../1.png
realpath:
basename: 1.png%00
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(8) "1.png%00"
["extension"]=>
string(6) "png%00"
}
----------------------------------
----------------------------------
** case: dt_nb
input: ../../1.png
input urldecoded: ../../1.png
realpath:
basename: 1.png
realpath url-d:
basename url-d: 1.png
array(3) {
["dirname"]=>
string(5) "../.."
["basename"]=>
string(6) "1.png "
["extension"]=>
string(4) "png "
}
----------------------------------
preferences:
335.37 ms | 410 KiB | 373 Q