Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:65013
Return-Path: <pierrick@webstart.fr>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86842 invoked from network); 17 Jan 2013 18:43:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jan 2013 18:43:03 -0000
Authentication-Results: pb1.pair.com header.from=pierrick@webstart.fr; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=pierrick@webstart.fr; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain webstart.fr from 74.125.82.172 cause and error)
X-PHP-List-Original-Sender: pierrick@webstart.fr
X-Host-Fingerprint: 74.125.82.172 mail-we0-f172.google.com  
Received: from [74.125.82.172] ([74.125.82.172:43989] helo=mail-we0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 58/F8-41276-43648F05 for <internals@lists.php.net>; Thu, 17 Jan 2013 13:43:02 -0500
Received: by mail-we0-f172.google.com with SMTP id r3so413706wey.31
        for <internals@lists.php.net>; Thu, 17 Jan 2013 10:42:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:cc:content-type:x-gm-message-state;
        bh=277ywGd+e+0OtmzDMl4aZSKx8DNgb2Ot9Oggve0IG5k=;
        b=Apgvv9ARDZKJF0V0p8KFQcnTwTDOoSrBUBi9farm2bVNqrYL10Ejv3QRPXTTK9S3dg
         6vQyvUUOhYuhKQXw6MkhEF51Pm7+De2wCmZBmuYGqQ6bKh6uk/lsyaLgdRHFjJCZxJi0
         YaKJbF9mp1MoVZI690HMKjuVTt0t85pBQhqmabNrrWpYDhjve2lTE+mvUZ6fEBXrMwws
         ZOGxSLOArDxqaiw8pA6d2nQ34WQSpdttzSrhPHCPzGr70Akg+xbwIMiFMe+htj3IjoLb
         YAaac1ARQxmHz61qgK1XNf0FhgMhw9ILl3W7v4HOSB/Jh+ebG/jAbpeV9ucPBFFqUfl8
         y42w==
MIME-Version: 1.0
X-Received: by 10.194.58.13 with SMTP id m13mr10250749wjq.18.1358448177665;
 Thu, 17 Jan 2013 10:42:57 -0800 (PST)
Received: by 10.180.86.102 with HTTP; Thu, 17 Jan 2013 10:42:57 -0800 (PST)
In-Reply-To: <50EBE585.80709@sugarcrm.com>
References: <50E90DD1.7040204@sugarcrm.com>
	<CAOfKkdTAV9qY_sxzORzhBjH0kRbkJr8XF+sU5eik=SGw582Nng@mail.gmail.com>
	<50EA6DD3.1040401@sugarcrm.com>
	<CAOfKkdSMgVGpKbkzwG4kNaJRbk9kZsc14z2Cs4CB9B1rAAs=9g@mail.gmail.com>
	<50EBE585.80709@sugarcrm.com>
Date: Thu, 17 Jan 2013 13:42:57 -0500
Message-ID: <CAOfKkdQ+OYe7tTQik5-XCXo9MyauWh0EnC-uf=eyX-wOi7xeyQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQk3bt1SKr4HNQ7nBgv44fzDrKkAoQ+Rz32qfPLL03P5Gr4aWxaR6iSxrF7vpy0lL+aEHBLn
Subject: Re: [PHP-DEV] [RFC] Fixing insecure cURL file uploading
From: pierrick@webstart.fr (Pierrick Charron)

Hi Stas,

What's the status of this fix ?

Thanks
Pierrick

On 8 January 2013 04:23, Stas Malyshev <smalyshev@sugarcrm.com> wrote:
> Hi!
>
>> Looks good to me, just it could be great to add a new cURL option at
>> the same time to disable the '@' usage so that someone working with
>> the new ext/curl version can disable it and therefore send values
>> starting by @
>
> That is a good suggestion, I'll add CURL_SAFE_POSTFIELDS which would
> disable the @ option.
>
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227