Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64427
Return-Path: <pierrick@webstart.fr>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51175 invoked from network); 24 Dec 2012 18:23:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Dec 2012 18:23:35 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierrick@webstart.fr; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=pierrick@webstart.fr; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain webstart.fr from 74.125.82.53 cause and error)
X-PHP-List-Original-Sender: pierrick@webstart.fr
X-Host-Fingerprint: 74.125.82.53 mail-wg0-f53.google.com  
Received: from [74.125.82.53] ([74.125.82.53:48992] helo=mail-wg0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EF/21-34516-4F898D05 for <internals@lists.php.net>; Mon, 24 Dec 2012 13:03:33 -0500
Received: by mail-wg0-f53.google.com with SMTP id ei8so3422802wgb.32
        for <internals@lists.php.net>; Mon, 24 Dec 2012 10:03:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding:x-gm-message-state;
        bh=NNG9wgwHsWLeXuB6qVQA9nxy9UYM27dH6sht0GxPZZc=;
        b=kJzNqhONOxQEObCH5XjMFgBlWTltfZqaHEfSNQN7sXwgvscUtR9R4e+XxWO719GdGn
         9znr5umqabHM7qkorBC15P9n17phNy6/EMwkdAC2Jz2Jk3zxTupE1pKeJlMwVd5GPUPz
         s+OhdwGFgyCV9uzDzLGvTMgMwALT0+paGONx5JszjKj3JNmu+VjZiA46/vxh2Qh6V93A
         H9hcgSb14r2ksZ9RVkDYSuV3VnROyceCWM3D4/CVbCpxyl3ZBUQ50Vn+Zv8yI15oBWjU
         H5sChufnz/C5fwgaCCTo0nJyFJwxn7PeDwS4yw7OWg0ummrvNXo7c1bfJ2AkcZ0o1qq7
         fECg==
MIME-Version: 1.0
Received: by 10.180.20.198 with SMTP id p6mr20044278wie.19.1356372209933; Mon,
 24 Dec 2012 10:03:29 -0800 (PST)
Received: by 10.180.98.226 with HTTP; Mon, 24 Dec 2012 10:03:29 -0800 (PST)
In-Reply-To: <4F5D3569.8050307@sugarcrm.com>
References: <CAOfKkdQMOgxBmKSo3DHaJZeHFe4fAOzg8a7amA9_--1=CeSBjA@mail.gmail.com>
	<4F5C5540.8010204@sugarcrm.com>
	<CAORXhG+=Tpzad-OxdWNcZdjvJDrF7jVOtiQ9PGvymL9HQAFEwA@mail.gmail.com>
	<4F5D3569.8050307@sugarcrm.com>
Date: Mon, 24 Dec 2012 13:03:29 -0500
Message-ID: <CAOfKkdTA8E4enoZuJB=ZReF2GMrDFO26PEF0URUAH9HUzHEAHQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Tom Boutell <tom@punkave.com>, Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkefUu7M61fT58tyyOyTbCrGw60eZ3PrTugefEkzyruh+UBDDEsIu5NS3GvJJTFRdLKqKEo
Subject: Re: [PHP-DEV] CURL file posting
From: pierrick@webstart.fr (Pierrick Charron)

Hi all,

I know this topic was opened a long time ago, but I would like to get
it resolved before 5.5 got released.

One solution proposed by Richard Lynch was to add a new
CURLOPT_FILEFIELDS  that takes an array of the parameters that are
supposed to be files, so the ones that are expected to have '@'. One
problem that we may have to deal with this solution is that the user
will have to add all the post params in 2 steps (first for the string
data and then for the files). Internally, libcurl only allow one call
to CURLOPT_HTTPPOST (second will override the first one), so it may
become unclear either the new data are appended, or overwrite the old
one.

An other solution proposed by =C1ngel Gonz=E1lez was to add a new option
to disable the '@' check, problem with this is that it will only
prevent uploading unwanted files if someone write something starting
with an '@', but it also disable completely the feature.

A last solution would be to something similar to libcurl curl_formadd
(this one could be added to the previous one so that the old way work
but there is a more secure way to do it) :

curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array(
    'firstname' =3D> 'pierrick',
    'lastname' =3D> array(CURLFORM_CONTENTS =3D> 'charron'),
    'lastname' =3D> array(CURLFORM_FILENAME =3D> 'name.png', CURLFORM_FILE
=3D> '/home/pierrick/picture.png', CURLFORM_CONTENTTYPE =3D> 'image/jpg')
);

One thing we have to think about this solution is if at some point we
want to allow sending array via curl, will it conflict ?

Do someone have an other better idea ? Which one would you prefer and
see implemented ?

Thanks all for your inputs

Pierrick

On 11 March 2012 19:29, Stas Malyshev <smalyshev@sugarcrm.com> wrote:
> Hi!
>
>> I'd sure like a PHP extension that didn't have this obvious and nasty bu=
g:
>>
>> https://bugs.php.net/bug.php?id=3D46439
>
>
> This doesn't look good. Documentation does say the @ prefix exists, but i=
t
> has very high potential of creating security holes for unsuspecting peopl=
e.
> open_basedir would help limit the impact, but still it's not a good thing=
.
> Any ideas on fixing it without breaking the BC?
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>