Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:74663
Return-Path: <are.you.winning@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62866 invoked from network); 31 May 2014 16:43:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 May 2014 16:43:47 -0000
Authentication-Results: pb1.pair.com header.from=are.you.winning@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=are.you.winning@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.43 as permitted sender)
X-PHP-List-Original-Sender: are.you.winning@gmail.com
X-Host-Fingerprint: 209.85.192.43 mail-qg0-f43.google.com  
Received: from [209.85.192.43] ([209.85.192.43:45827] helo=mail-qg0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 46/10-60848-FB60A835 for <internals@lists.php.net>; Sat, 31 May 2014 12:43:44 -0400
Received: by mail-qg0-f43.google.com with SMTP id 63so8363363qgz.2
        for <internals@lists.php.net>; Sat, 31 May 2014 09:43:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type:content-transfer-encoding;
        bh=YYmi9x1AYtzHOvaw/Len0xyYTJSa35z8Y7wT+6PrvnI=;
        b=BiE4IZVv2SolgZ+h8pc38k+ZwUL1ZUUOhoi05kOFV4Sf3uPpiPyITdz9gJYLWI4JGc
         ieK5B5H1pkirJc711kHrJAkMfipBEghzps1HwH5iLihGIpZRgoI0OzP38QdHWELf6tvk
         iNuVqLVaYBfI82sqcc7wXICOc92gBva1E/oOEq4nv9kZ8ZpuECjDGg90RPW6YXlFCyF9
         RAEOFzOo1nR3b0rBlVqUQNJBZr/+WVOGVHkh0efuQ31mijEE+J3pZgZf4ojUPkjmueai
         fFHNv0XO7DxmLOt1N+gaA/00SFAfkxxAfscMgOoRg/gPBq/yfTIrmxFtN0Xfm6WbMXgo
         7SVw==
MIME-Version: 1.0
X-Received: by 10.140.107.67 with SMTP id g61mr30995349qgf.100.1401554620664;
 Sat, 31 May 2014 09:43:40 -0700 (PDT)
Sender: are.you.winning@gmail.com
Received: by 10.229.148.145 with HTTP; Sat, 31 May 2014 09:43:40 -0700 (PDT)
In-Reply-To: <757B91CA-9378-4FAC-8461-0105694291FD@ajf.me>
References: <757B91CA-9378-4FAC-8461-0105694291FD@ajf.me>
Date: Sat, 31 May 2014 17:43:40 +0100
X-Google-Sender-Auth: FhIQXaeKMdAH3zwdcs5E_Jcasn8
Message-ID: <CAGAGxbZeZsiwf1Sr=QwUOTSP-r63bfooRnLzg8bYkUzKGYdjnQ@mail.gmail.com>
To: Andrea Faulds <ajf@ajf.me>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] CURLOPT_SAFE_UPLOAD and PHP 5.6
From: cw@daverandom.com (Chris Wright)

Hi Andrea

On 31 May 2014 15:19, Andrea Faulds <ajf@ajf.me> wrote:
> Good afternoon,
>
> Stas=E2=80=99s =E2=80=98Fix CURL file uploads=E2=80=99 RFC was approved a=
nd implemented in PHP 5.5:
>
> https://wiki.php.net/rfc/curl-file-upload
>
> It deals with the quite serious security issue caused by the behaviour of=
CURLOPT_POSTFIELDS where the =E2=80=98@=E2=80=98 prefix before a path speci=
fies a file upload, making it unsafe to pass user data to CURLOPT_POSTFIELD=
S without checking for =E2=80=98@=E2=80=98 first. It fixes this by adding a=
 new way to specify a file (the CURLFile object) and by adding a new option=
, CURLOPT_SAFE_UPLOAD, which can be set to true (but is false by default) w=
hich disables the =E2=80=98@=E2=80=98 prefix.
>
> What I=E2=80=99m wondering about is the status of the default value of th=
e CURLOPT_SAFE_UPLOAD constant in the PHP-5.6 branch. The RFC specifies tha=
t it should be set to true by default in PHP 5.6, but I don=E2=80=99t know =
if this has actually been implemented. I can=E2=80=99t understand the cURL =
source well enough to see if this is the case. Could someone inform me?
>

It has been altered in 5.6 as specified. See:

5.5: http://lxr.php.net/xref/PHP_5_5/ext/curl/interface.c#1806
5.6: http://lxr.php.net/xref/PHP_5_6/ext/curl/interface.c#1798

Details of the change have also been added to the UPGRADING notes for 5.6

> If it=E2=80=99s still false, I think it is imperative that we make sure t=
he it is true by default by the time PHP 5.6 is released. While this will b=
reak code that relied on =E2=80=98@=E2=80=98, PHP 5.5 has been out for quit=
e a while now, and the fix is very simple to implement. The very considerab=
le security benefits trump the inconvenience of changing existing code here=
, IMHO. Existing code can be fixed very easily, either by using the CURLFil=
e class if targeting only PHP 5.5+, or by setting CURLOPT_SAFE_UPLOAD to fa=
lse, both of which are single-line changes.
>
> So, does anyone know what the status in PHP-5.6 is?
>
> Thanks!
> --
> Andrea Faulds
> http://ajf.me/
>

Thanks, Chris