$ _FILE [「file」] [「name」]中的相對路徑被截斷爲基本名稱？

Question

我要發佈一個文件到服務器與Content-Disposition頭（使用PHP 7.0在Ubuntu的捲曲度7.47）內提供該文件的文件名的相對路徑：

curl server/index.php -F "file=@somefile.txt;filename=a/b/c.txt" 

運用--trace-ascii /dev/stdout選項顯示：

0000: POST /index.php HTTP/1.1 
0031: Host: server 
004a: User-Agent: curl/7.47.0 
0063: Accept: */* 
0070: Content-Length: 111511 
0088: Expect: 100-continue 
009e: Content-Type: multipart/form-data; boundary=-------------------- 
00de: ----e656f77ee2b4759a 
00f4: 
... 
0000: --------------------------e656f77ee2b4759a 
002c: Content-Disposition: form-data; name="file"; filename="a/b/c.txt 
006c: " 
006f: Content-Type: application/octet-stream 
0097: 
... 

現在，我簡單的測試腳本<?php print_r($_FILES["file"]); ?>輸出：

Array 
(
    [name] => c.txt 
    [type] => application/octet-stream 
    [tmp_name] => /tmp/phpNaikad 
    [error] => 0 
    [size] => 111310 
) 

Howeve r，我預計[name] => a/b/c.txt。我的邏輯缺陷在哪裏？

根據https://stackoverflow.com/a/3393822/1647737，文件名可以包含相對路徑。

PHP manual also implies this並建議用basename()進行消毒。

Answer 1

正如我們從php-interpreter sources,_basename()過濾器出於安全原因調用和/或修復某些特定的瀏覽器。

文件：PHP-的src/main/rfc1867.c

行〜1151及以下：

 /* The \ check should technically be needed for win32 systems only where 
     * it is a valid path separator. However, IE in all it's wisdom always sends 
     * the full path of the file on the user's filesystem, which means that unless 
     * the user does basename() they get a bogus file name. Until IE's user base drops 
     * to nill or problem is fixed this code must remain enabled for all systems. */ 
     s = _basename(internal_encoding, filename); 
     if (!s) { 
      s = filename; 
     }