Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64623
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14198 invoked from network); 7 Jan 2013 05:35:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Jan 2013 05:35:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.123 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 67.192.241.123 smtp123.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.123] ([67.192.241.123:42978] helo=smtp123.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 68/C4-12349-6BE5AE05 for <internals@lists.php.net>; Mon, 07 Jan 2013 00:35:50 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp22.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 440C8170A5A;
	Mon,  7 Jan 2013 00:35:47 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp22.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 4B7BB170CBF;
	Mon,  7 Jan 2013 00:35:46 -0500 (EST)
Message-ID: <50EA5EAF.2000704@sugarcrm.com>
Date: Sun, 06 Jan 2013 21:35:43 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Pierrick Charron <pierrick@webstart.fr>
CC: PHP Internals <internals@lists.php.net>
References: <50E90DD1.7040204@sugarcrm.com> <CAOfKkdTAV9qY_sxzORzhBjH0kRbkJr8XF+sU5eik=SGw582Nng@mail.gmail.com>
In-Reply-To: <CAOfKkdTAV9qY_sxzORzhBjH0kRbkJr8XF+sU5eik=SGw582Nng@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Fixing insecure cURL file uploading
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> cURL allow you to upload file from string buffer with CURLFORM_BUFFER
> and we should be able to do all the streams stuff with CURLFORM_STREAM
> and by modifying our CURLOPT_READFUNCTION.

CURLFORM_STREAM has one issue - you can only have one read function, but
you could have many uploaded files in the form. If we're willing to
accept the limitation that only one uploaded file can be a stream and
that you can not use both read function and stream file at the same
time, then it will work. Otherwise cURL API wouldn't let us to
distinguish between the functions.

I'll start with implementing it without stream/buffer support, and then
add it later.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227