我想将文件发布到服务器,并在Content-Disposition标题中提供文件文件名的相对路径(在Ubuntu上使用PHP 7.0,使用curl 7.47):
curl server/index.php -F "file=@somefile.txt;filename=a/b/c.txt"
应用--trace-ascii /dev/stdout选项显示:
0000: POST /index.php HTTP/1.1
0031: Host: server
004a: User-Agent: curl/7.47.0
0063: Accept: */*
0070: Content-Length: 111511
0088: Expect: 100-continue
009e: Content-Type: multipart/form-data; boundary=--------------------
00de: ----e656f77ee2b4759a
00f4:
...
0000: --------------------------e656f77ee2b4759a
002c: Content-Disposition: form-data; name="file"; filename="a/b/c.txt
006c: "
006f: Content-Type: application/octet-stream
0097:
...
现在,我的简单测试脚本<?php print_r($_FILES["file"]); ?>输出:
Array
(
[name] => c.txt
[type] => application/octet-stream
[tmp_name] => /tmp/phpNaikad
[error] => 0
[size] => 111310
)
但是,我期待[name] => a/b/c.txt。我逻辑中的缺陷在哪里?
根据https://stackoverflow.com/a/3393822/1647737,文件名可以包含相对路径。
PHP manual also implies this并建议使用basename()进行消毒。
答案 0 :(得分:1)
我们可以从php-interpreter sources,_basename()过滤器中看到出于安全原因和/或修复某些特定浏览器的过滤器。
文件:php-src / main / rfc1867.c
行~1151及以下:
/* The \ check should technically be needed for win32 systems only where
* it is a valid path separator. However, IE in all it's wisdom always sends
* the full path of the file on the user's filesystem, which means that unless
* the user does basename() they get a bogus file name. Until IE's user base drops
* to nill or problem is fixed this code must remain enabled for all systems. */
s = _basename(internal_encoding, filename);
if (!s) {
s = filename;
}