Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58883
Return-Path: <ceo@l-i-e.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16201 invoked from network); 12 Mar 2012 19:36:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Mar 2012 19:36:39 -0000
Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain l-i-e.com designates 67.139.134.202 as permitted sender)
X-PHP-List-Original-Sender: ceo@l-i-e.com
X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2)
Received: from [67.139.134.202] ([67.139.134.202:2522] helo=o2.hostbaby.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 57/70-13375-7405E5F4 for <internals@lists.php.net>; Mon, 12 Mar 2012 14:36:39 -0500
Received: (qmail 99843 invoked by uid 98); 12 Mar 2012 19:36:40 -0000
Received: from localhost by o2.hostbaby.com (envelope-from <ceo@l-i-e.com>, uid 1013) with qmail-scanner-2.05 
 ( 
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.036702 secs); 12 Mar 2012 19:36:40 -0000
Received: from localhost (HELO www.l-i-e.com) (127.0.0.1)
  by localhost with SMTP; 12 Mar 2012 19:36:39 -0000
Received: from webmail
        (SquirrelMail authenticated user ceo@l-i-e.com)
        by www.l-i-e.com with HTTP;
        Mon, 12 Mar 2012 14:36:40 -0500
Message-ID: <8d17c1162ecbe11172e4f09630200c17.squirrel@www.l-i-e.com>
In-Reply-To: <4F5D3569.8050307@sugarcrm.com>
References:
    <CAOfKkdQMOgxBmKSo3DHaJZeHFe4fAOzg8a7amA9_--1=CeSBjA@mail.gmail.com>
    <4F5C5540.8010204@sugarcrm.com>
    <CAORXhG+=Tpzad-OxdWNcZdjvJDrF7jVOtiQ9PGvymL9HQAFEwA@mail.gmail.com>
    <4F5D3569.8050307@sugarcrm.com>
Date: Mon, 12 Mar 2012 14:36:40 -0500
To: internals@lists.php.net
User-Agent: SquirrelMail/1.4.21 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [PHP-DEV] CURL file posting
From: ceo@l-i-e.com ("Richard Lynch")

On Sun, March 11, 2012 6:29 pm, Stas Malyshev wrote:
> Hi!
>
>> I'd sure like a PHP extension that didn't have this obvious and
>> nasty bug:
>>
>> https://bugs.php.net/bug.php?id=46439
>
> This doesn't look good. Documentation does say the @ prefix exists,
> but
> it has very high potential of creating security holes for unsuspecting
> people. open_basedir would help limit the impact, but still it's not a
> good thing. Any ideas on fixing it without breaking the BC?

Ouch.

Issue an E_NOTICE when it happens?

Add a new CURLOPT_FILEFIELDS that takes an array of the parameters
that are supposed to be files, so the ones that are expected to have
"@..." do not fire the E_NOTICE.

Issuing E_NOTICE is a BC, I suppose, but you'd think people would
appreciate an alert about a potential security threat...

-- 
brain cancer update:
http://richardlynch.blogspot.com/search/label/brain%20tumor
Donate:
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE