Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64460
Return-Path: <pierrick@webstart.fr>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44949 invoked from network); 29 Dec 2012 16:06:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Dec 2012 16:06:06 -0000
Authentication-Results: pb1.pair.com header.from=pierrick@webstart.fr; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=pierrick@webstart.fr; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain webstart.fr from 209.85.212.180 cause and error)
X-PHP-List-Original-Sender: pierrick@webstart.fr
X-Host-Fingerprint: 209.85.212.180 mail-wi0-f180.google.com  
Received: from [209.85.212.180] ([209.85.212.180:33418] helo=mail-wi0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1F/B2-17337-DE41FD05 for <internals@lists.php.net>; Sat, 29 Dec 2012 11:06:06 -0500
Received: by mail-wi0-f180.google.com with SMTP id hj13so6389096wib.7
        for <internals@lists.php.net>; Sat, 29 Dec 2012 08:06:02 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:x-gm-message-state;
        bh=es02JHLDVbHxLY30fOgrLXCdTJ5Fk+zVbATg2o8hJ5U=;
        b=AvDMwGxN1RDtHrwNPSrQByumfp2hs4zupLrKKir1ctoa09QxTCXbPDwGMw4RXYWbsf
         gnS9TB5bpZCr5iizbcIAocsOd1oWZnWIDnw5WSLM20eOh/0JbILmnRhz7yM5mFhUz0ZD
         l1esEP1zdSOdP+wbq+xYSEkjYG1sFksVOLH+PiYqb8rBjY9OpzNBMBcUBAoPG8FxgUJw
         /Q0Anchns2i66MdeDbl0JofVTIvfsRWCQvfJRbY+3wG0WM0BFZwHFNBZ77e8nlCSDk+S
         DGVkUlV6oJH9oFpG13swPW8dMy+PqJwNoT1UNKv2MLcgjCf8osdZR9+/D9N0aKBsmraO
         Rs/A==
MIME-Version: 1.0
Received: by 10.180.72.232 with SMTP id g8mr57273164wiv.0.1356797162019; Sat,
 29 Dec 2012 08:06:02 -0800 (PST)
Received: by 10.180.98.226 with HTTP; Sat, 29 Dec 2012 08:06:01 -0800 (PST)
In-Reply-To: <50DE4A01.8050006@sugarcrm.com>
References: <CAOfKkdQMOgxBmKSo3DHaJZeHFe4fAOzg8a7amA9_--1=CeSBjA@mail.gmail.com>
	<4F5C5540.8010204@sugarcrm.com>
	<CAORXhG+=Tpzad-OxdWNcZdjvJDrF7jVOtiQ9PGvymL9HQAFEwA@mail.gmail.com>
	<4F5D3569.8050307@sugarcrm.com>
	<CAOfKkdTA8E4enoZuJB=ZReF2GMrDFO26PEF0URUAH9HUzHEAHQ@mail.gmail.com>
	<50DE4A01.8050006@sugarcrm.com>
Date: Sat, 29 Dec 2012 11:06:01 -0500
Message-ID: <CAOfKkdQ3E+d8sRkLHn8J_OzgbREqk-bhcAw4Sj99mDqWO0s-HQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmL6aAKhV0nr4vU2v7LRhTOyPC0LzcmGkiVzulCdUrzF26ZMU8e6n7ckQ2dFOryKhQiWzpU
Subject: Re: [PHP-DEV] CURL file posting
From: pierrick@webstart.fr (Pierrick Charron)

Hi,

You're right the proposed implementation did not removed the issue but
was just changing the way to produce it and I agree that the most
secure way to do it would be as you suggested to add a separate option
but I see some issues that we will have.

Usually libcurl doesn't allow to call curl_easy_setopt with the same
option twice on the same easy handle, it will overwrite the data set
by the first call. php/cURL abstract multiple ways to send post data
all of them by the usage of CURLOPT_POSTFIELDS. When you set the
CURLOPT_POSTFIELD to an array using the php/curl api, php/curl will
internally use the CURLOPT_HTTPPOST option, and when you set the same
option to a string, it will call the CURLOPT_COPYPOSTFIELDS.

So first we will have to store the value of both CURLOPT_POSTFIELD and
CURLOPT_POSTFILEFIELD (or whatever we want to call it) so that we
always call CURLOPT_HTTPPOST once with the merge of the 2 options but
still, if someone do something like this

curl_setopt($ch, CURLOPT_POSTFIELD, 'foo=bar');
curl_setopt($ch, CURLOPT_POSTFILEFIELD, array('upload' => 'filename.jpg'));

This will not work because we need to use both CURLOPT_HTTPPOST and
CURLOPT_COPYPOSTFIELDS which are not compatible.

Idea on how we could solve this are welcome.

Thanks
Pierrick

On 28 December 2012 20:40, Stas Malyshev <smalyshev@sugarcrm.com> wrote:
> Hi!
>
>> I know this topic was opened a long time ago, but I would like to get
>> it resolved before 5.5 got released.
>
> I agree, it looks like a place where we could use improvement, current
> API is kind of dangerous.
>
>> A last solution would be to something similar to libcurl curl_formadd
>> (this one could be added to the previous one so that the old way work
>> but there is a more secure way to do it) :
>>
>> curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array(
>>     'firstname' => 'pierrick',
>>     'lastname' => array(CURLFORM_CONTENTS => 'charron'),
>>     'lastname' => array(CURLFORM_FILENAME => 'name.png', CURLFORM_FILE
>> => '/home/pierrick/picture.png', CURLFORM_CONTENTTYPE => 'image/jpg')
>> );
>>
>> One thing we have to think about this solution is if at some point we
>> want to allow sending array via curl, will it conflict ?
>
> I don't think we would allow sending arrays through curl, however
> there's another problem - theoretically, if user can access the data you
> put in $lastname variable, in many contexts it's not hard to put an
> array there either - i.e. if you have a form that has element lastname
> that posts to $lastname and then you do:
>
> curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array(
>      'lastname' => $lastname,
> /// etc.
>
> Then you could also create a form that posts to lastname[filename] and
> simulate this array too. So it's not a complete solution. I'm thinking
> maybe using separate option for files and deprecating the current one
> may be better idea. Unless somebody has even better solution :)
>
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227