Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120642
Return-Path: <divinity76@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57149 invoked from network); 20 Jun 2023 09:51:35 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 20 Jun 2023 09:51:35 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id BACFB180550
	for <internals@lists.php.net>; Tue, 20 Jun 2023 02:51:33 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <divinity76@gmail.com>
Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com [209.85.128.172])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 20 Jun 2023 02:51:33 -0700 (PDT)
Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-5728df0a7d9so34769747b3.1
        for <internals@lists.php.net>; Tue, 20 Jun 2023 02:51:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1687254692; x=1689846692;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=7PV2n3AJbRMFCL6H8WFP65srfm/WUbt3JHacmeYPWpw=;
        b=l/gcWz92twZJFYV15IIgn6BzVWM2wEFpOHPCUvg2VNjgMpgoUyIHxer7QjH0uHCVVz
         xXbdTd1rLNFw/jqBoe7ZxVjeY8KG6iGrvFPuWMgkcb2SETzqEzw1ZSQyLNt/K7nuLbji
         JZ+xKg30qSXLMhtFjrx9aNiZlhl6S37O0Zn7f012cXg70Oa9orK6G1Kb3shQUPvOdp4g
         xohljNwHJo7izGJpLnkh8y3UoM+PSJKtulm8zKR2GAlOJ4B+eUHFaPN/GKQGhlh7O5c1
         GKQOyRiD73Zd18GhSys45nyepSQFBgS8Yoqju7vaNmjxSC8tW9JWaNCOJgHpxdI27pzo
         zKDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687254692; x=1689846692;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=7PV2n3AJbRMFCL6H8WFP65srfm/WUbt3JHacmeYPWpw=;
        b=Y4loFMvCYb/u4Gwu1EJbx9QB6JYOpbPaBU1RCWW3oJ2Bc8H1alWfc6IxqHEdq04uB1
         ZEq7VTo5e/Xq9qaPc711MhI1ZHX51UiVJ52CnmdQ2aLrPyYxe/NQjQZFi5D/+wbb9Qem
         BTLGdbIJOd9uWOo1qjLe8g1A+psMg6+80lFQ3Y+jPmHxooogENpYqwIU4YFn8WfynDrU
         693AIJMMlxrf3ABTP5BnSnuTMzEfodJ6px89hmtLyYjcgaVdAR/VejW1kJy1FpDLrFRg
         y4HjsvwBjx9M65dB/kBYjLBVUwnFdgwirWRKSY1Les9uVxi2JQIuIt1zqfq+2JUbqpHU
         Ccwg==
X-Gm-Message-State: AC+VfDxxChI26lgOnumgWFw1Eqx59b5q/nOvhyfrZdVfYOdrYqORG8f/
	RpjLnOcTJr8EYLBqLKU0e8WVqFZhnoNVZ/kw8rI=
X-Google-Smtp-Source: ACHHUZ49G2ZJXX1qL+9+7g5VyBZYHzWrAE26twRYHziS54eAZqFhpfZidz3SmkPdJ++eh0YYpnPrTy0zIDcO/1O4/d8=
X-Received: by 2002:a81:bf52:0:b0:570:17e5:e536 with SMTP id
 s18-20020a81bf52000000b0057017e5e536mr13364134ywk.36.1687254692559; Tue, 20
 Jun 2023 02:51:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAPyj-LAabBCvrHUTgO4yoJATmvT0N2Kk7ZpwCb=Vo9aRbz7PtQ@mail.gmail.com>
In-Reply-To: <CAPyj-LAabBCvrHUTgO4yoJATmvT0N2Kk7ZpwCb=Vo9aRbz7PtQ@mail.gmail.com>
Date: Tue, 20 Jun 2023 11:50:55 +0200
Message-ID: <CAJmy8YFOGAcnAeYvd12pajwuaCc2zwcQ0W+UhG+6e5=AHqF7EQ@mail.gmail.com>
To: Ilija Tovilo <tovilo.ilija@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] RFC1867 (multipart/form-data) PUT requests
From: divinity76@gmail.com (Hans Henrik Bergan)

how are errors handled, like if the format of php://input is
unrecognized, not valid multipart/form-data and not valid
application/x-www-form-urlencoded?
errors? exceptions? nothing?

On Tue, 20 Jun 2023 at 11:26, Ilija Tovilo <tovilo.ilija@gmail.com> wrote:
>
> Hi internals
>
> A while ago I encountered a limitation of how RFC1867 requests are
> handled in PHP. PHP populates the $_POST and $_FILES superglobals when
> the Content-Type is multipart/form-data or
> application/x-www-form-urlencoded, but only when the method is POST.
> For application/x-www-form-urlencoded PUT requests this is not a
> problem because the format is simple, usually limited in size and PHP
> offers functions to parse it, namely parse_str and parse_url. For
> RFC1867 it's a different story.
>
> The code handling the request will need to use streams because RFC1867
> is often used with files, the format is much more complicated, files
> should be cleaned up when the request ends if unused, etc. Handling
> this manually is non-trivial. This has been reported many years ago,
> and evidently caused a bit of frustration.
> https://bugs.php.net/bug.php?id=55815
>
> This is not limited to PUT either, multipart/form-data bodies are
> valid with other requests. Here's the approach I believe is best.
>
> Introduce a new function (currently named populate_post_data()) to
> read the input stream and populate the $_POST and $_FILES
> superglobals. The function works for any non-POST requests. It assumes
> that none of the input stream has been consumed, and that the
> Content-Type is set accordingly. A nice side-effect of this approach
> is that it may be used with the enable_post_data_reading ini setting
> to decide whether to parse the RFC1867 bodies dynamically. For
> example, a specific endpoint may accept bigger requests. The function
> may be implemented in a more generic way 1. by returning the
> data/files arrays instead of populating the superglobals and 2. by
> providing an input stream manually. I don't know if there's such a
> use-case and thus if this is worthwhile, as it would require bigger
> changes in the RFC1867 handling.
>
> Here's the proof-of-concept implementation:
> https://github.com/php/php-src/pull/11472
>
> For completeness, here are other options I considered.
>
> 1. Create a new $_PUT superglobal that is always populated. Two
> issues: The obvious one is that this is limited to PUT requests. While
> we could also introduce $_PATCH, this seems like a poor solution.
> While discouraged, other methods can also contain bodies. Another
> issue is that the code for processing RFC1867 consumes the input
> stream. This constitutes a BC break. Buffering the input is not
> feasible for large requests that would be expected here.
> 2. The same as option 1, but populate the existing $_POST global. This
> comes with the same BC break.
> 3. The same as options 1 or 2 with an additional ini setting to opt
> into the behavior. The issue with this approach is that both the old
> and new behavior might be desired in different parts of the same
> application. The ini option can't be changed at runtime because the
> populating of the superglobals happens before user code is being
> executed.
>
> Let me know what your thoughts are. If there is consensus in the
> feedback I'll update the implementation accordingly and post an update
> to the list. If there is no consensus, I will create an RFC.
>
> Ilija
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>