Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:74662 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56218 invoked from network); 31 May 2014 14:19:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 May 2014 14:19:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=ajf@ajf.me; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ajf@ajf.me; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ajf.me designates 198.187.29.248 as permitted sender) X-PHP-List-Original-Sender: ajf@ajf.me X-Host-Fingerprint: 198.187.29.248 imap7-3.ox.privateemail.com Received: from [198.187.29.248] ([198.187.29.248:60930] helo=imap7-3.ox.privateemail.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B4/C3-07154-EF4E9835 for ; Sat, 31 May 2014 10:19:44 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.privateemail.com (Postfix) with ESMTP id 8E19560376 for ; Sat, 31 May 2014 10:19:39 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at imap7.ox.privateemail.com Received: from mail.privateemail.com ([127.0.0.1]) by localhost (imap1.ox.privateemail.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id acznhwspA3TQ for ; Sat, 31 May 2014 10:19:39 -0400 (EDT) Received: from [192.168.0.200] (unknown [90.203.28.11]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.privateemail.com (Postfix) with ESMTPSA id D416260374 for ; Sat, 31 May 2014 10:19:38 -0400 (EDT) Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Message-ID: <757B91CA-9378-4FAC-8461-0105694291FD@ajf.me> Date: Sat, 31 May 2014 15:19:34 +0100 To: PHP internals Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) X-Mailer: Apple Mail (2.1878.2) Subject: CURLOPT_SAFE_UPLOAD and PHP 5.6 From: ajf@ajf.me (Andrea Faulds) Good afternoon, Stas=92s =91Fix CURL file uploads=92 RFC was approved and implemented in = PHP 5.5: https://wiki.php.net/rfc/curl-file-upload It deals with the quite serious security issue caused by the behaviour = ofCURLOPT_POSTFIELDS where the =91@=91 prefix before a path specifies a = file upload, making it unsafe to pass user data to CURLOPT_POSTFIELDS = without checking for =91@=91 first. It fixes this by adding a new way to = specify a file (the CURLFile object) and by adding a new option, = CURLOPT_SAFE_UPLOAD, which can be set to true (but is false by default) = which disables the =91@=91 prefix. What I=92m wondering about is the status of the default value of the = CURLOPT_SAFE_UPLOAD constant in the PHP-5.6 branch. The RFC specifies = that it should be set to true by default in PHP 5.6, but I don=92t know = if this has actually been implemented. I can=92t understand the cURL = source well enough to see if this is the case. Could someone inform me? If it=92s still false, I think it is imperative that we make sure the it = is true by default by the time PHP 5.6 is released. While this will = break code that relied on =91@=91, PHP 5.5 has been out for quite a = while now, and the fix is very simple to implement. The very = considerable security benefits trump the inconvenience of changing = existing code here, IMHO. Existing code can be fixed very easily, either = by using the CURLFile class if targeting only PHP 5.5+, or by setting = CURLOPT_SAFE_UPLOAD to false, both of which are single-line changes. So, does anyone know what the status in PHP-5.6 is? Thanks! -- Andrea Faulds http://ajf.me/