Implement fix for bug #46439 - add CURLFile class for safer uploads

NEWS

@@ -5,6 +5,10 @@ PHP                                                                        NEWS
   . Fixed bug # 60833 (self, parent, static behave inconsistently 
     case-sensitive). (Stas, mario at include-once dot org)
 
+- cURL:
+  . Implemented FR #46439 - added CURLFile for safer file uploads.
+    (Stas)
+
 24 Jan 2013, PHP 5.5.0 Alpha 4
 
 - Core:

UPGRADING

@@ -155,6 +155,8 @@ PHP 5.5 UPGRADE NOTES
   bool(true) was returned.
 - setcookie(), setrawcookie() and ext/session now send Max-Age headers alongside
   Expires headers. (see https://wiki.php.net/rfc/cookie_max-age)
+- curl_setopt now accepts new option CURLOPT_SAFE_UPLOAD and CURLFile object for
+  safer file uploads (see https://wiki.php.net/rfc/curl-file-upload)
 
 ========================================
 5. New Functions
@@ -167,6 +169,9 @@ PHP 5.5 UPGRADE NOTES
   - password_needs_rehash()
   - password_verify()
 
+- cURL:
+  - curl_file_create
+
 - Hash:
   - hash_pbkdf2()
 
@@ -267,6 +272,9 @@ PHP 5.5 UPGRADE NOTES
   - IntlRuleBasedBreakIterator
   - IntlCodePointBreakIterator
 
+- cURL:
+  - CURLFile
+
 ========================================
 7. Removed Extensions
 ========================================
@@ -286,6 +294,9 @@ PHP 5.5 UPGRADE NOTES
 - mysqli:
   - Added MYSQLI_SERVER_PUBLIC_KEY constant to be used with mysqli_options()
 
+- cURL:
+  - Added CURLOPT_SAFE_UPLOAD to be used with curl_setopt().
+
 ========================================
 10. Changes to INI File Handling
 ========================================

ext/curl/config.m4

@@ -149,6 +149,6 @@ int main(int argc, char *argv[])
     AC_DEFINE(PHP_CURL_URL_WRAPPERS,1,[ ])
   fi
 
-  PHP_NEW_EXTENSION(curl, interface.c multi.c share.c streams.c, $ext_shared)
+  PHP_NEW_EXTENSION(curl, interface.c multi.c share.c streams.c curl_file.c, $ext_shared)
   PHP_SUBST(CURL_SHARED_LIBADD)
 fi

ext/curl/config.w32

@@ -13,7 +13,7 @@ if (PHP_CURL != "no") {
 		&& (((PHP_ZLIB=="no") && (CHECK_LIB("zlib_a.lib;zlib.lib", "curl", PHP_CURL))) || 
 			(PHP_ZLIB_SHARED && CHECK_LIB("zlib.lib", "curl", PHP_CURL)) || (PHP_ZLIB == "yes" && (!PHP_ZLIB_SHARED)))
 		) {
-		EXTENSION("curl", "interface.c multi.c share.c streams.c", true);
+		EXTENSION("curl", "interface.c multi.c share.c streams.c curl_file.c", true);
 		AC_DEFINE('HAVE_CURL', 1, 'Have cURL library');
 		AC_DEFINE('HAVE_CURL_SSL', 1, 'Have SSL suppurt in cURL');
 		AC_DEFINE('HAVE_CURL_EASY_STRERROR', 1, 'Have curl_easy_strerror in cURL');

ext/curl/interface.c

@@ -403,6 +403,12 @@ ZEND_BEGIN_ARG_INFO(arginfo_curl_pause, 0)
 	ZEND_ARG_INFO(0, bitmask)
 ZEND_END_ARG_INFO()
 #endif
+
+ZEND_BEGIN_ARG_INFO_EX(arginfo_curlfile_create, 0, 0, 1)
+	ZEND_ARG_INFO(0, filename)
+	ZEND_ARG_INFO(0, mimetype)
+	ZEND_ARG_INFO(0, postname)
+ZEND_END_ARG_INFO()
 /* }}} */
 
 /* {{{ curl_functions[]
@@ -446,6 +452,7 @@ const zend_function_entry curl_functions[] = {
 	PHP_FE(curl_share_init,          arginfo_curl_share_init)
 	PHP_FE(curl_share_close,         arginfo_curl_share_close)
 	PHP_FE(curl_share_setopt,        arginfo_curl_share_setopt)
+	PHP_FE(curl_file_create,         arginfo_curlfile_create)
 	PHP_FE_END
 };
 /* }}} */
@@ -1187,6 +1194,7 @@ PHP_MINIT_FUNCTION(curl)
 #if CURLOPT_PASSWDFUNCTION != 0
 	REGISTER_CURL_CONSTANT(CURLOPT_PASSWDFUNCTION);
 #endif
+	REGISTER_CURL_CONSTANT(CURLOPT_SAFE_UPLOAD);
 
 #ifdef PHP_CURL_NEED_OPENSSL_TSL
 	if (!CRYPTO_get_id_callback()) {
@@ -1229,6 +1237,8 @@ PHP_MINIT_FUNCTION(curl)
 	}
 #endif
 
+	curlfile_register_class(TSRMLS_C);
+
 	return SUCCESS;
 }
 /* }}} */
@@ -1812,6 +1822,7 @@ static void alloc_curl_handle(php_curl **ch)
 	zend_llist_init(&(*ch)->to_free->str,   sizeof(char *),            (llist_dtor_func_t) curl_free_string, 0);
 	zend_llist_init(&(*ch)->to_free->slist, sizeof(struct curl_slist), (llist_dtor_func_t) curl_free_slist,  0);
 	zend_llist_init(&(*ch)->to_free->post,  sizeof(struct HttpPost),   (llist_dtor_func_t) curl_free_post,   0);
+	(*ch)->safe_upload = 0; /* for now, for BC reason we allow unsafe API */
 }
 /* }}} */
 
@@ -2247,6 +2258,10 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 #endif
 			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
 			break;
+		case CURLOPT_SAFE_UPLOAD:
+			convert_to_long_ex(zvalue);
+			ch->safe_upload = (Z_LVAL_PP(zvalue) != 0);
+			break;
 
 		/* String options */
 		case CURLOPT_CAINFO:
@@ -2560,9 +2575,6 @@ string_copy:
 					ulong  num_key;
 					int    numeric_key;
 
-					SEPARATE_ZVAL(current);
-					convert_to_string_ex(current);
-
 					zend_hash_get_current_key_ex(postfields, &string_key, &string_key_len, &num_key, 0, NULL);
 
 					/* Pretend we have a string_key here */
@@ -2574,15 +2586,59 @@ string_copy:
 						numeric_key = 0;
 					}
 
+					if(Z_TYPE_PP(current) == IS_OBJECT && instanceof_function(Z_OBJCE_PP(current), curl_CURLFile_class TSRMLS_CC)) {
+						/* new-style file upload */
+						zval *prop;
+						char *type = NULL, *filename = NULL;
+
+						prop = zend_read_property(curl_CURLFile_class, *current, "name", sizeof("name")-1, 0 TSRMLS_CC);
+						if(Z_TYPE_P(prop) != IS_STRING) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename for key %s", string_key);
+						} else {
+							postval = Z_STRVAL_P(prop);
+
+							if (php_check_open_basedir(postval TSRMLS_CC)) {
+								RETVAL_FALSE;
+								return 1;
+							}
+
+							prop = zend_read_property(curl_CURLFile_class, *current, "mime", sizeof("mime")-1, 0 TSRMLS_CC);
+							if(Z_TYPE_P(prop) == IS_STRING && Z_STRLEN_P(prop) > 0) {
+								type = Z_STRVAL_P(prop);
+							}
+							prop = zend_read_property(curl_CURLFile_class, *current, "postname", sizeof("postname")-1, 0 TSRMLS_CC);
+							if(Z_TYPE_P(prop) == IS_STRING && Z_STRLEN_P(prop) > 0) {
+								filename = Z_STRVAL_P(prop);
+							}
+							error = curl_formadd(&first, &last,
+											CURLFORM_COPYNAME, string_key,
+											CURLFORM_NAMELENGTH, (long)string_key_len - 1,
+											CURLFORM_FILENAME, filename ? filename : postval,
+											CURLFORM_CONTENTTYPE, type ? type : "application/octet-stream",
+											CURLFORM_FILE, postval,
+											CURLFORM_END);
+						}
+
+						if (numeric_key) {
+							efree(string_key);
+						}
+						continue;
+					}
+
+					SEPARATE_ZVAL(current);
+					convert_to_string_ex(current);
+
 					postval = Z_STRVAL_PP(current);
 
 					/* The arguments after _NAMELENGTH and _CONTENTSLENGTH
 					 * must be explicitly cast to long in curl_formadd
 					 * use since curl needs a long not an int. */
-					if (*postval == '@') {
+					if (!ch->safe_upload && *postval == '@') {
 						char *type, *filename;
 						++postval;
 
+						php_error_docref("curl.curlfile" TSRMLS_CC, E_DEPRECATED, "The usage of the @filename API for file uploading is deprecated. Please use the CURLFile class instead");
+
 						if ((type = php_memnstr(postval, ";type=", sizeof(";type=") - 1, postval + Z_STRLEN_PP(current)))) {
 							*type = '\0';
 						}
@@ -2829,7 +2885,7 @@ PHP_FUNCTION(curl_setopt)
 
 	ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
 
-	if (options <= 0) {
+	if (options <= 0 && options != CURLOPT_SAFE_UPLOAD) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid curl configuration option");
 		RETURN_FALSE;
 	}

ext/curl/php_curl.h

@@ -34,6 +34,14 @@
 
 #define PHP_CURL_DEBUG 0
 
+#ifdef PHP_WIN32
+# define PHP_CURL_API __declspec(dllexport)
+#elif defined(__GNUC__) && __GNUC__ >= 4
+# define PHP_CURL_API __attribute__ ((visibility("default")))
+#else
+# define PHP_CURL_API
+#endif
+
 #include <curl/curl.h>
 #include <curl/multi.h>
 
@@ -103,6 +111,8 @@ PHP_FUNCTION(curl_multi_setopt);
 #if LIBCURL_VERSION_NUM >= 0x071200 /* 7.18.0 */
 PHP_FUNCTION(curl_pause);
 #endif
+PHP_FUNCTION(curl_file_create);
+
 
 void _php_curl_multi_close(zend_rsrc_list_entry * TSRMLS_DC);
 void _php_curl_share_close(zend_rsrc_list_entry * TSRMLS_DC);
@@ -171,8 +181,11 @@ typedef struct {
 	long                     id;
 	zend_bool                in_callback;
 	zval                     *clone;
+	zend_bool                safe_upload;
 } php_curl;
 
+#define CURLOPT_SAFE_UPLOAD -1
+
 typedef struct {
 	int    still_running;
 	CURLM *multi;
@@ -219,6 +232,8 @@ typedef struct {
 	struct curl_slist *headers_slist; /* holds custom headers sent out in the request */
 } php_curl_stream;
 
+void curlfile_register_class(TSRMLS_D);
+PHP_CURL_API extern zend_class_entry *curl_CURLFile_class;
 
 #else
 #define curl_module_ptr NULL

ext/curl/tests/bug27023.phpt

@@ -1,5 +1,7 @@
 --TEST--
 Bug #27023 (CURLOPT_POSTFIELDS does not parse content types for files)
+--INI--
+error_reporting = E_ALL & ~E_DEPRECATED
 --SKIPIF--
 <?php 
 if (!extension_loaded("curl")) {

ext/curl/tests/curl_file_serialize.phpt

@@ -0,0 +1,21 @@
+--TEST--
+CURL file uploading
+--SKIPIF--
+<?php
+if (!extension_loaded("curl")) {
+	exit("skip curl extension not loaded");
+}
+?>
+--FILE--
+<?php
+$data = 'a:2:{s:4:"file";O:8:"CURLFile":3:{s:4:"name";s:13:"testdata1.txt";s:4:"mime";s:0:"";s:8:"postname";s:0:"";}s:4:"data";s:3:"foo";}';
+var_dump(unserialize($data));
+?>
+--EXPECTF--
+Fatal error: Uncaught exception 'Exception' with message 'Unserialization of CURLFile instances is not allowed' in %s
+Stack trace:
+#0 [internal function]: CURLFile->__wakeup()
+#1 %s
+#2 {main}
+  thrown in %s on line %d
+

ext/curl/tests/curl_file_upload.phpt

@@ -0,0 +1,85 @@
+--TEST--
+CURL file uploading
+--SKIPIF--
+<?php
+if (!extension_loaded("curl")) {
+	exit("skip curl extension not loaded");
+}
+if (false === getenv('PHP_CURL_HTTP_REMOTE_SERVER'))  {
+	exit("skip PHP_CURL_HTTP_REMOTE_SERVER env variable is not defined");
+}
+?>
+--FILE--
+<?php
+
+function testcurl($ch, $name, $mime = '', $postname = '')
+{
+	if(!empty($postname)) {
+		$file = new CurlFile($name, $mime, $postname);
+	} else if(!empty($mime)) {
+		$file = new CurlFile($name, $mime);
+	} else {
+		$file = new CurlFile($name);
+	}
+	curl_setopt($ch, CURLOPT_POSTFIELDS, array("file" => $file));
+	var_dump(curl_exec($ch));
+}
+
+$host = getenv('PHP_CURL_HTTP_REMOTE_SERVER');
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_URL, "{$host}/get.php?test=file");
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+
+testcurl($ch, __DIR__ . '/curl_testdata1.txt');
+testcurl($ch, __DIR__ . '/curl_testdata1.txt', 'text/plain');
+testcurl($ch, __DIR__ . '/curl_testdata1.txt', '', 'foo.txt');
+testcurl($ch, __DIR__ . '/curl_testdata1.txt', 'text/plain', 'foo.txt');
+
+$file = new CurlFile(__DIR__ . '/curl_testdata1.txt');
+$file->setMimeType('text/plain');
+var_dump($file->getMimeType());
+var_dump($file->getFilename());
+curl_setopt($ch, CURLOPT_POSTFIELDS, array("file" => $file));
+var_dump(curl_exec($ch));
+
+$file = curl_file_create(__DIR__ . '/curl_testdata1.txt');
+$file->setPostFilename('foo.txt');
+var_dump($file->getPostFilename());
+curl_setopt($ch, CURLOPT_POSTFIELDS, array("file" => $file));
+var_dump(curl_exec($ch));
+
+$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
+curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
+var_dump(curl_exec($ch));
+
+curl_setopt($ch, CURLOPT_SAFE_UPLOAD, true);
+$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
+curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
+var_dump(curl_exec($ch));
+
+curl_setopt($ch, CURLOPT_URL, "{$host}/get.php?test=post");
+$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
+curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
+var_dump(curl_exec($ch));
+
+curl_close($ch);
+?>
+--EXPECTF--
+string(%d) "curl_testdata1.txt|application/octet-stream"
+string(%d) "curl_testdata1.txt|text/plain"
+string(%d) "foo.txt|application/octet-stream"
+string(%d) "foo.txt|text/plain"
+string(%d) "text/plain"
+string(%d) "%s/curl_testdata1.txt"
+string(%d) "curl_testdata1.txt|text/plain"
+string(%d) "foo.txt"
+string(%d) "foo.txt|application/octet-stream"
+
+Deprecated: curl_setopt(): The usage of the @filename API for file uploading is deprecated. Please use the CURLFile class instead in %s on line %d
+string(%d) "curl_testdata1.txt|application/octet-stream"
+string(0) ""
+string(%d) "array(1) {
+  ["file"]=>
+  string(%d) "@%s/curl_testdata1.txt"
+}
+"

ext/curl/tests/curl_setopt_error.phpt

@@ -14,14 +14,14 @@ curl_setopt(false);
 
 curl_setopt($ch);
 curl_setopt($ch, false);
-curl_setopt($ch, -1);
+curl_setopt($ch, -10);
 curl_setopt($ch, '');
 curl_setopt($ch, 1, false);
 
 curl_setopt(false, false, false);
 curl_setopt($ch, '', false);
 curl_setopt($ch, 1, '');
-curl_setopt($ch, -1, 0);
+curl_setopt($ch, -10, 0);
 ?>
 --EXPECTF--
 *** curl_setopt() call with incorrect parameters