Quick fix for a possible file upload exploit. Patch from PHP CVS. Problem

noted by Brian Clark <brianj@fusionwerks.com>.

www/php4/patches/patch-rfc1867.c

@@ -0,0 +1,51 @@
+--- main/rfc1867.c:1.38	Sat Aug  5 23:40:28 2000
++++ main/rfc1867.c	Sun Sep  3 22:09:46 2000
+@@ -15,7 +15,7 @@
+    | Authors: Rasmus Lerdorf <rasmus@php.net>                             |
+    +----------------------------------------------------------------------+
+  */
+-/* $Id: patch-rfc1867.c,v 1.1 2000/09/04 06:57:12 jakob Exp $ */
++/* $Id: patch-rfc1867.c,v 1.1 2000/09/04 06:57:12 jakob Exp $ */
+ 
+ #include <stdio.h>
+ #include "php.h"
+@@ -64,7 +64,7 @@
+ 	int eolsize;
+ 	long bytes, max_file_size = 0;
+ 	char *namebuf=NULL, *filenamebuf=NULL, *lbuf=NULL, 
+-		 *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL;
++		 *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL, *sbuf=NULL;
+ 	FILE *fp;
+ 	int itype, is_arr_upload=0, arr_len=0;
+ 	zval *http_post_files=NULL;
+@@ -172,8 +172,10 @@
+ 						}
+ 						abuf = estrndup(namebuf, strlen(namebuf)-arr_len);
+ 						sprintf(lbuf, "%s_name[%s]", abuf, arr_index);
++						sbuf = estrdup(abuf);
+ 					} else {
+ 						sprintf(lbuf, "%s_name", namebuf);
++						sbuf = estrdup(abuf);
+ 					}
+ 					s = strrchr(filenamebuf, '\\');
+ 					if (s && s > filenamebuf) {
+@@ -252,7 +254,11 @@
+ 				}
+ 				*(loc - 4) = '\0';
+ 
+-				php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
++				/* Check to make sure we are not overwriting special file
++				 * upload variables */
++				if(memcmp(namebuf,sbuf,strlen(sbuf))) {
++					php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
++				}
+ 
+ 				/* And a little kludge to pick out special MAX_FILE_SIZE */
+ 				itype = php_check_ident_type(namebuf);
+@@ -353,6 +359,7 @@
+ 				break;
+ 		}
+ 	}
++	if(sbuf) efree(sbuf);
+ 	SAFE_RETURN;
+ }