PHP Improper Input Validation Vulnerability - CVE-2016-10712

In PHP before 5.5.32 5.6.x before 5.6.18 and 7.x before 7.0.3 all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g. during file uploads). For example a quoturi stream_get_meta_data(fopen(file quotrquot))39uri39quot call mishandles the case where file is data:text/plainurieviluri -- in other words metadata can be set by an attacker.