archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Implement fix for bug #46439 - add CURLFile class for safer uploads

Browse source
This commit is contained in:
Stanislav Malyshev 2013-01-28 22:22:59 -08:00
parent 420bcc1a8e
commit a9d013bb02
10 changed files with 243 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

4
NEWS
View file

@ -5,6 +5,10 @@ PHP NEWS
. Fixed bug # 60833 (self, parent, static behave inconsistently . Fixed bug # 60833 (self, parent, static behave inconsistently
case-sensitive). (Stas, mario at include-once dot org) case-sensitive). (Stas, mario at include-once dot org)
- cURL:
. Implemented FR #46439 - added CURLFile for safer file uploads.
(Stas)
24 Jan 2013, PHP 5.5.0 Alpha 4 24 Jan 2013, PHP 5.5.0 Alpha 4
- Core: - Core:

11
UPGRADING
View file

@ -155,6 +155,8 @@ PHP 5.5 UPGRADE NOTES
bool(true) was returned. bool(true) was returned.
- setcookie(), setrawcookie() and ext/session now send Max-Age headers alongside - setcookie(), setrawcookie() and ext/session now send Max-Age headers alongside
Expires headers. (see https://wiki.php.net/rfc/cookie_max-age) Expires headers. (see https://wiki.php.net/rfc/cookie_max-age)
- curl_setopt now accepts new option CURLOPT_SAFE_UPLOAD and CURLFile object for
safer file uploads (see https://wiki.php.net/rfc/curl-file-upload)
======================================== ========================================
5. New Functions 5. New Functions
@ -167,6 +169,9 @@ PHP 5.5 UPGRADE NOTES
- password_needs_rehash() - password_needs_rehash()
- password_verify() - password_verify()
- cURL:
- curl_file_create
- Hash: - Hash:
- hash_pbkdf2() - hash_pbkdf2()
@ -267,6 +272,9 @@ PHP 5.5 UPGRADE NOTES
- IntlRuleBasedBreakIterator - IntlRuleBasedBreakIterator
- IntlCodePointBreakIterator - IntlCodePointBreakIterator
- cURL:
- CURLFile
======================================== ========================================
7. Removed Extensions 7. Removed Extensions
======================================== ========================================
@ -286,6 +294,9 @@ PHP 5.5 UPGRADE NOTES
- mysqli: - mysqli:
- Added MYSQLI_SERVER_PUBLIC_KEY constant to be used with mysqli_options() - Added MYSQLI_SERVER_PUBLIC_KEY constant to be used with mysqli_options()
- cURL:
- Added CURLOPT_SAFE_UPLOAD to be used with curl_setopt().
======================================== ========================================
10. Changes to INI File Handling 10. Changes to INI File Handling
======================================== ========================================

2
ext/curl/config.m4
View file

@ -149,6 +149,6 @@ int main(int argc, char *argv[])
AC_DEFINE(PHP_CURL_URL_WRAPPERS,1,[ ]) AC_DEFINE(PHP_CURL_URL_WRAPPERS,1,[ ])
fi fi
PHP_NEW_EXTENSION(curl, interface.c multi.c share.c streams.c, $ext_shared) PHP_NEW_EXTENSION(curl, interface.c multi.c share.c streams.c curl_file.c, $ext_shared)
PHP_SUBST(CURL_SHARED_LIBADD) PHP_SUBST(CURL_SHARED_LIBADD)
fi fi

2
ext/curl/config.w32
View file

@ -13,7 +13,7 @@ if (PHP_CURL != "no") {
&& (((PHP_ZLIB=="no") && (CHECK_LIB("zlib_a.lib;zlib.lib", "curl", PHP_CURL))) || && (((PHP_ZLIB=="no") && (CHECK_LIB("zlib_a.lib;zlib.lib", "curl", PHP_CURL))) ||
(PHP_ZLIB_SHARED && CHECK_LIB("zlib.lib", "curl", PHP_CURL)) || (PHP_ZLIB == "yes" && (!PHP_ZLIB_SHARED))) (PHP_ZLIB_SHARED && CHECK_LIB("zlib.lib", "curl", PHP_CURL)) || (PHP_ZLIB == "yes" && (!PHP_ZLIB_SHARED)))
) { ) {
EXTENSION("curl", "interface.c multi.c share.c streams.c", true); EXTENSION("curl", "interface.c multi.c share.c streams.c curl_file.c", true);
AC_DEFINE('HAVE_CURL', 1, 'Have cURL library'); AC_DEFINE('HAVE_CURL', 1, 'Have cURL library');
AC_DEFINE('HAVE_CURL_SSL', 1, 'Have SSL suppurt in cURL'); AC_DEFINE('HAVE_CURL_SSL', 1, 'Have SSL suppurt in cURL');
AC_DEFINE('HAVE_CURL_EASY_STRERROR', 1, 'Have curl_easy_strerror in cURL'); AC_DEFINE('HAVE_CURL_EASY_STRERROR', 1, 'Have curl_easy_strerror in cURL');

66
ext/curl/interface.c
View file

@ -403,6 +403,12 @@ ZEND_BEGIN_ARG_INFO(arginfo_curl_pause, 0)
ZEND_ARG_INFO(0, bitmask) ZEND_ARG_INFO(0, bitmask)
ZEND_END_ARG_INFO() ZEND_END_ARG_INFO()
#endif #endif
ZEND_BEGIN_ARG_INFO_EX(arginfo_curlfile_create, 0, 0, 1)
ZEND_ARG_INFO(0, filename)
ZEND_ARG_INFO(0, mimetype)
ZEND_ARG_INFO(0, postname)
ZEND_END_ARG_INFO()
/* }}} */ /* }}} */
/* {{{ curl_functions[] /* {{{ curl_functions[]
@ -446,6 +452,7 @@ const zend_function_entry curl_functions[] = {
PHP_FE(curl_share_init, arginfo_curl_share_init) PHP_FE(curl_share_init, arginfo_curl_share_init)
PHP_FE(curl_share_close, arginfo_curl_share_close) PHP_FE(curl_share_close, arginfo_curl_share_close)
PHP_FE(curl_share_setopt, arginfo_curl_share_setopt) PHP_FE(curl_share_setopt, arginfo_curl_share_setopt)
PHP_FE(curl_file_create, arginfo_curlfile_create)
PHP_FE_END PHP_FE_END
}; };
/* }}} */ /* }}} */
@ -1187,6 +1194,7 @@ PHP_MINIT_FUNCTION(curl)
#if CURLOPT_PASSWDFUNCTION != 0 #if CURLOPT_PASSWDFUNCTION != 0
REGISTER_CURL_CONSTANT(CURLOPT_PASSWDFUNCTION); REGISTER_CURL_CONSTANT(CURLOPT_PASSWDFUNCTION);
#endif #endif
REGISTER_CURL_CONSTANT(CURLOPT_SAFE_UPLOAD);
#ifdef PHP_CURL_NEED_OPENSSL_TSL #ifdef PHP_CURL_NEED_OPENSSL_TSL
if (!CRYPTO_get_id_callback()) { if (!CRYPTO_get_id_callback()) {
@ -1229,6 +1237,8 @@ PHP_MINIT_FUNCTION(curl)
} }
#endif #endif
curlfile_register_class(TSRMLS_C);
return SUCCESS; return SUCCESS;
} }
/* }}} */ /* }}} */
@ -1812,6 +1822,7 @@ static void alloc_curl_handle(php_curl **ch)
zend_llist_init(&(*ch)->to_free->str, sizeof(char *), (llist_dtor_func_t) curl_free_string, 0); zend_llist_init(&(*ch)->to_free->str, sizeof(char *), (llist_dtor_func_t) curl_free_string, 0);
zend_llist_init(&(*ch)->to_free->slist, sizeof(struct curl_slist), (llist_dtor_func_t) curl_free_slist, 0); zend_llist_init(&(*ch)->to_free->slist, sizeof(struct curl_slist), (llist_dtor_func_t) curl_free_slist, 0);
zend_llist_init(&(*ch)->to_free->post, sizeof(struct HttpPost), (llist_dtor_func_t) curl_free_post, 0); zend_llist_init(&(*ch)->to_free->post, sizeof(struct HttpPost), (llist_dtor_func_t) curl_free_post, 0);
(*ch)->safe_upload = 0; /* for now, for BC reason we allow unsafe API */
} }
/* }}} */ /* }}} */
@ -2247,6 +2258,10 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
#endif #endif
error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
break; break;
case CURLOPT_SAFE_UPLOAD:
convert_to_long_ex(zvalue);
ch->safe_upload = (Z_LVAL_PP(zvalue) != 0);
break;
/* String options */ /* String options */
case CURLOPT_CAINFO: case CURLOPT_CAINFO:
@ -2560,9 +2575,6 @@ string_copy:
ulong num_key; ulong num_key;
int numeric_key; int numeric_key;
SEPARATE_ZVAL(current);
convert_to_string_ex(current);
zend_hash_get_current_key_ex(postfields, &string_key, &string_key_len, &num_key, 0, NULL); zend_hash_get_current_key_ex(postfields, &string_key, &string_key_len, &num_key, 0, NULL);
/* Pretend we have a string_key here */ /* Pretend we have a string_key here */
@ -2574,15 +2586,59 @@ string_copy:
numeric_key = 0; numeric_key = 0;
} }
if(Z_TYPE_PP(current) == IS_OBJECT && instanceof_function(Z_OBJCE_PP(current), curl_CURLFile_class TSRMLS_CC)) {
/* new-style file upload */
zval *prop;
char *type = NULL, *filename = NULL;
prop = zend_read_property(curl_CURLFile_class, *current, "name", sizeof("name")-1, 0 TSRMLS_CC);
if(Z_TYPE_P(prop) != IS_STRING) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename for key %s", string_key);
} else {
postval = Z_STRVAL_P(prop);
if (php_check_open_basedir(postval TSRMLS_CC)) {
RETVAL_FALSE;
return 1;
}
prop = zend_read_property(curl_CURLFile_class, *current, "mime", sizeof("mime")-1, 0 TSRMLS_CC);
if(Z_TYPE_P(prop) == IS_STRING && Z_STRLEN_P(prop) > 0) {
type = Z_STRVAL_P(prop);
}
prop = zend_read_property(curl_CURLFile_class, *current, "postname", sizeof("postname")-1, 0 TSRMLS_CC);
if(Z_TYPE_P(prop) == IS_STRING && Z_STRLEN_P(prop) > 0) {
filename = Z_STRVAL_P(prop);
}
error = curl_formadd(&first, &last,
CURLFORM_COPYNAME, string_key,
CURLFORM_NAMELENGTH, (long)string_key_len - 1,
CURLFORM_FILENAME, filename ? filename : postval,
CURLFORM_CONTENTTYPE, type ? type : "application/octet-stream",
CURLFORM_FILE, postval,
CURLFORM_END);
}
if (numeric_key) {
efree(string_key);
}
continue;
}
SEPARATE_ZVAL(current);
convert_to_string_ex(current);
postval = Z_STRVAL_PP(current); postval = Z_STRVAL_PP(current);
/* The arguments after _NAMELENGTH and _CONTENTSLENGTH /* The arguments after _NAMELENGTH and _CONTENTSLENGTH
* must be explicitly cast to long in curl_formadd * must be explicitly cast to long in curl_formadd
* use since curl needs a long not an int. */ * use since curl needs a long not an int. */
if (*postval == '@') { if (!ch->safe_upload && *postval == '@') {
char *type, *filename; char *type, *filename;
++postval; ++postval;
php_error_docref("curl.curlfile" TSRMLS_CC, E_DEPRECATED, "The usage of the @filename API for file uploading is deprecated. Please use the CURLFile class instead");
if ((type = php_memnstr(postval, ";type=", sizeof(";type=") - 1, postval + Z_STRLEN_PP(current)))) { if ((type = php_memnstr(postval, ";type=", sizeof(";type=") - 1, postval + Z_STRLEN_PP(current)))) {
*type = '\0'; *type = '\0';
} }
@ -2829,7 +2885,7 @@ PHP_FUNCTION(curl_setopt)
ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl); ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
if (options <= 0) { if (options <= 0 && options != CURLOPT_SAFE_UPLOAD) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid curl configuration option"); php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid curl configuration option");
RETURN_FALSE; RETURN_FALSE;
} }

15
ext/curl/php_curl.h
View file

@ -34,6 +34,14 @@
#define PHP_CURL_DEBUG 0 #define PHP_CURL_DEBUG 0
#ifdef PHP_WIN32
# define PHP_CURL_API __declspec(dllexport)
#elif defined(__GNUC__) && __GNUC__ >= 4
# define PHP_CURL_API __attribute__ ((visibility("default")))
#else
# define PHP_CURL_API
#endif
#include <curl/curl.h> #include <curl/curl.h>
#include <curl/multi.h> #include <curl/multi.h>
@ -103,6 +111,8 @@ PHP_FUNCTION(curl_multi_setopt);
#if LIBCURL_VERSION_NUM >= 0x071200 /* 7.18.0 */ #if LIBCURL_VERSION_NUM >= 0x071200 /* 7.18.0 */
PHP_FUNCTION(curl_pause); PHP_FUNCTION(curl_pause);
#endif #endif
PHP_FUNCTION(curl_file_create);
void _php_curl_multi_close(zend_rsrc_list_entry * TSRMLS_DC); void _php_curl_multi_close(zend_rsrc_list_entry * TSRMLS_DC);
void _php_curl_share_close(zend_rsrc_list_entry * TSRMLS_DC); void _php_curl_share_close(zend_rsrc_list_entry * TSRMLS_DC);
@ -171,8 +181,11 @@ typedef struct {
long id; long id;
zend_bool in_callback; zend_bool in_callback;
zval *clone; zval *clone;
zend_bool safe_upload;
} php_curl; } php_curl;
#define CURLOPT_SAFE_UPLOAD -1
typedef struct { typedef struct {
int still_running; int still_running;
CURLM *multi; CURLM *multi;
@ -219,6 +232,8 @@ typedef struct {
struct curl_slist *headers_slist; /* holds custom headers sent out in the request */ struct curl_slist *headers_slist; /* holds custom headers sent out in the request */
} php_curl_stream; } php_curl_stream;
void curlfile_register_class(TSRMLS_D);
PHP_CURL_API extern zend_class_entry *curl_CURLFile_class;
#else #else
#define curl_module_ptr NULL #define curl_module_ptr NULL

2
ext/curl/tests/bug27023.phpt
View file

@ -1,5 +1,7 @@
--TEST-- --TEST--
Bug #27023 (CURLOPT_POSTFIELDS does not parse content types for files) Bug #27023 (CURLOPT_POSTFIELDS does not parse content types for files)
--INI--
error_reporting = E_ALL & ~E_DEPRECATED
--SKIPIF-- --SKIPIF--
<?php <?php
if (!extension_loaded("curl")) { if (!extension_loaded("curl")) {

21
ext/curl/tests/curl_file_serialize.phpt Normal file
View file

@ -0,0 +1,21 @@
--TEST--
CURL file uploading
--SKIPIF--
<?php
if (!extension_loaded("curl")) {
exit("skip curl extension not loaded");
}
?>
--FILE--
<?php
$data = 'a:2:{s:4:"file";O:8:"CURLFile":3:{s:4:"name";s:13:"testdata1.txt";s:4:"mime";s:0:"";s:8:"postname";s:0:"";}s:4:"data";s:3:"foo";}';
var_dump(unserialize($data));
?>
--EXPECTF--
Fatal error: Uncaught exception 'Exception' with message 'Unserialization of CURLFile instances is not allowed' in %s
Stack trace:
#0 [internal function]: CURLFile->__wakeup()
#1 %s
#2 {main}
thrown in %s on line %d

85
ext/curl/tests/curl_file_upload.phpt Normal file
View file

@ -0,0 +1,85 @@
--TEST--
CURL file uploading
--SKIPIF--
<?php
if (!extension_loaded("curl")) {
exit("skip curl extension not loaded");
}
if (false === getenv('PHP_CURL_HTTP_REMOTE_SERVER')) {
exit("skip PHP_CURL_HTTP_REMOTE_SERVER env variable is not defined");
}
?>
--FILE--
<?php
function testcurl($ch, $name, $mime = '', $postname = '')
{
if(!empty($postname)) {
$file = new CurlFile($name, $mime, $postname);
} else if(!empty($mime)) {
$file = new CurlFile($name, $mime);
} else {
$file = new CurlFile($name);
}
curl_setopt($ch, CURLOPT_POSTFIELDS, array("file" => $file));
var_dump(curl_exec($ch));
}
$host = getenv('PHP_CURL_HTTP_REMOTE_SERVER');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "{$host}/get.php?test=file");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
testcurl($ch, __DIR__ . '/curl_testdata1.txt');
testcurl($ch, __DIR__ . '/curl_testdata1.txt', 'text/plain');
testcurl($ch, __DIR__ . '/curl_testdata1.txt', '', 'foo.txt');
testcurl($ch, __DIR__ . '/curl_testdata1.txt', 'text/plain', 'foo.txt');
$file = new CurlFile(__DIR__ . '/curl_testdata1.txt');
$file->setMimeType('text/plain');
var_dump($file->getMimeType());
var_dump($file->getFilename());
curl_setopt($ch, CURLOPT_POSTFIELDS, array("file" => $file));
var_dump(curl_exec($ch));
$file = curl_file_create(__DIR__ . '/curl_testdata1.txt');
$file->setPostFilename('foo.txt');
var_dump($file->getPostFilename());
curl_setopt($ch, CURLOPT_POSTFIELDS, array("file" => $file));
var_dump(curl_exec($ch));
$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
var_dump(curl_exec($ch));
curl_setopt($ch, CURLOPT_SAFE_UPLOAD, true);
$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
var_dump(curl_exec($ch));
curl_setopt($ch, CURLOPT_URL, "{$host}/get.php?test=post");
$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
var_dump(curl_exec($ch));
curl_close($ch);
?>
--EXPECTF--
string(%d) "curl_testdata1.txt|application/octet-stream"
string(%d) "curl_testdata1.txt|text/plain"
string(%d) "foo.txt|application/octet-stream"
string(%d) "foo.txt|text/plain"
string(%d) "text/plain"
string(%d) "%s/curl_testdata1.txt"
string(%d) "curl_testdata1.txt|text/plain"
string(%d) "foo.txt"
string(%d) "foo.txt|application/octet-stream"
Deprecated: curl_setopt(): The usage of the @filename API for file uploading is deprecated. Please use the CURLFile class instead in %s on line %d
string(%d) "curl_testdata1.txt|application/octet-stream"
string(0) ""
string(%d) "array(1) {
["file"]=>
string(%d) "@%s/curl_testdata1.txt"
}
"

4
ext/curl/tests/curl_setopt_error.phpt
View file

@ -14,14 +14,14 @@ curl_setopt(false);
curl_setopt($ch); curl_setopt($ch);
curl_setopt($ch, false); curl_setopt($ch, false);
curl_setopt($ch, -1); curl_setopt($ch, -10);
curl_setopt($ch, ''); curl_setopt($ch, '');
curl_setopt($ch, 1, false); curl_setopt($ch, 1, false);
curl_setopt(false, false, false); curl_setopt(false, false, false);
curl_setopt($ch, '', false); curl_setopt($ch, '', false);
curl_setopt($ch, 1, ''); curl_setopt($ch, 1, '');
curl_setopt($ch, -1, 0); curl_setopt($ch, -10, 0);
?> ?>
--EXPECTF-- --EXPECTF--
*** curl_setopt() call with incorrect parameters *** curl_setopt() call with incorrect parameters