Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:64426 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49562 invoked from network); 24 Dec 2012 18:17:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Dec 2012 18:17:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierrick@webstart.fr; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=pierrick@webstart.fr; sender-id=unknown Received-SPF: error (pb1.pair.com: domain webstart.fr from 74.125.82.173 cause and error) X-PHP-List-Original-Sender: pierrick@webstart.fr X-Host-Fingerprint: 74.125.82.173 mail-we0-f173.google.com Received: from [74.125.82.173] ([74.125.82.173:62422] helo=mail-we0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 44/31-34516-D1C98D05 for ; Mon, 24 Dec 2012 13:17:02 -0500 Received: by mail-we0-f173.google.com with SMTP id z2so3411746wey.32 for ; Mon, 24 Dec 2012 10:16:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding:x-gm-message-state; bh=a0gmFq2ti8cJrr9kMpts8Q1B+HbYmfWXEo7RgtMCWCk=; b=mkCU5/hIomKgHAZ7TtSWFula6CASv3KdT0o6D3Sc84+EFjiQsy0UklqDWlbX1OSUpk bgDytdOvUP87bqZiK2u3q+L8u7r3UBlcpzPrS4mSgEfw9i8wP0RQo/aJmcs1aHvUTCop mM2BL1/9uu9Kia+5aPoKgc0CmmdZXXFLa2/IlHdoK07Yetv+oF6jjZgwPoV2LLPam/+d kvJl2+Yzz5bH+puaYHcO2Nf5PLwt7zUr23bPLh8vlkJV/hocsQPYdxkDfBGWf1LV1Gdw Hh5r5AEDaDZJqrRzubAuq9jeAJacL3+va27+Y23HhTj+kLEGJc2+dunKU2oDa3joBF2A M5wg== MIME-Version: 1.0 Received: by 10.180.87.102 with SMTP id w6mr35325428wiz.19.1356373018253; Mon, 24 Dec 2012 10:16:58 -0800 (PST) Received: by 10.180.98.226 with HTTP; Mon, 24 Dec 2012 10:16:58 -0800 (PST) Date: Mon, 24 Dec 2012 13:16:58 -0500 Message-ID: To: Internals Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQnhFrTjAYUN0jeHC/qT8/dfKwz2NUsezoteWOqw5nns8OPjPlWPPUxx9eNav5nh61cXjPAy Subject: Sending file via ext/curl extension is flawed From: pierrick@webstart.fr (Pierrick Charron) Hi all, Stas opened a discussion almost a year ago about https://bugs.php.net/bug.php?id=3D46439 (I let you read details in the bug) and I would like to reopen the subject since there was no end to this discussion and nothing was made to fix this issue. One solution proposed by Richard Lynch was to add a new CURLOPT_FILEFIELDS that takes an array of the parameters that are supposed to be files, so the ones that are expected to have '@'. One problem that we may have to deal with this solution is that the user will have to add all the post params in 2 steps (first for the string data and then for the files). Internally, libcurl only allow one call to CURLOPT_HTTPPOST (second will override the first one), so it may become unclear either the new data are appended, or overwrite the old one. An other solution proposed by =C1ngel Gonz=E1lez was to add a new option to disable the '@' check, problem with this is that it will only prevent uploading unwanted files if someone write something starting with an '@', but it also disable completely the feature. A last solution would be to something similar to libcurl curl_formadd (this one could be added to the previous one so that the old way work but there is a more secure way to do it) : curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array( 'firstname' =3D> 'pierrick', 'lastname' =3D> array(CURLFORM_CONTENTS =3D> 'charron'), 'lastname' =3D> array(CURLFORM_FILENAME =3D> 'name.png', CURLFORM_FILE =3D> '/home/pierrick/picture.png', CURLFORM_CONTENTTYPE =3D> 'image/jpg') ); One thing we have to think about this solution is if at some point we want to allow sending array via curl, will it conflict ? Do someone have an other better idea ? Which one would you prefer and see implemented ? Thanks all for your inputs Pierrick PS : Sorry for creating a new topic and not responding to the old one but when I tried to do it, the ML refused my mail for no reason.