Hi!
I've started a vote on CURLFile RFC:
https://wiki.php.net/rfc/curl-file-upload#vote
Please vote.
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Stas,
Thanks for running with this concept! Looks great to me...
Anthony
On Sun, Jan 20, 2013 at 8:32 PM, Stas Malyshev smalyshev@sugarcrm.comwrote:
Hi!
I've started a vote on CURLFile RFC:
https://wiki.php.net/rfc/curl-file-upload#votePlease vote.
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Hi!
Thanks for running with this concept! Looks great to me...
Thanks. I think it needs one more addition, actually - it may be a good
idea to have special handling for serializing/unserializing - but I'll
look into it after the vote, it shouldn't change anything related to the
main concept.
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Hi!
I've started a vote on CURLFile RFC:
https://wiki.php.net/rfc/curl-file-upload#votePlease vote.
Looks like the feature has been approved almost anonymously, so I'll be
proceeding with merging the pull soon. I'm also planning adding __wakeup
there that blocks unserializing CURLFile, for security reasons, please
tell me if anyone thinks it's not good. Also, if anyone has
comments/suggestions/additions to it, you are welcome to voice them.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Hi!
Looks like the feature has been approved almost anonymously, so I'll be
Unanimously of course :)
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Hi Stas,
I'm not against it but, just being curious, what are those security reasons
?
Thanks
Pierrick
Hi!
I've started a vote on CURLFile RFC:
https://wiki.php.net/rfc/curl-file-upload#votePlease vote.
Looks like the feature has been approved almost anonymously, so I'll be
proceeding with merging the pull soon. I'm also planning adding __wakeup
there that blocks unserializing CURLFile, for security reasons, please
tell me if anyone thinks it's not good. Also, if anyone has
comments/suggestions/additions to it, you are welcome to voice them.--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Hi!
I'm not against it but, just being curious, what are those security
reasons ?
If you ever accepted serialized data from outside (say, after putting it
in a cookie or just having API that accepts serialization) and then
forwarded the same data array using cURL, the attacker could create
serialized representation of CURLFile that would make cURL send out a
file on your filesystem, which would be a security breach. Basically the
same security problem as with @, only with serialization involved. It is
not frequent case, but possible.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Thanks for the example. Even if it's not frequent I agree that it doesn't
cost much to prevent this issue
Pierrick
Hi!
I'm not against it but, just being curious, what are those security
reasons ?If you ever accepted serialized data from outside (say, after putting it
in a cookie or just having API that accepts serialization) and then
forwarded the same data array using cURL, the attacker could create
serialized representation of CURLFile that would make cURL send out a
file on your filesystem, which would be a security breach. Basically the
same security problem as with @, only with serialization involved. It is
not frequent case, but possible.--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
On Mon, Jan 21, 2013 at 2:32 AM, Stas Malyshev smalyshev@sugarcrm.comwrote:
Hi!
I've started a vote on CURLFile RFC:
https://wiki.php.net/rfc/curl-file-upload#votePlease vote.
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227--
Hi Stas,
I recently gave a presentation on the upcoming php version, and somebody
asked why did we introduce an OOP way for this when everything else in
ext/curl is procedural.
It seems that the OOP aproach was proposed first, and the procedural
alternative was added a week later, which seems to be a little bit odd.
Is there any particular reason for this?
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Hi!
I recently gave a presentation on the upcoming php version, and somebody
asked why did we introduce an OOP way for this when everything else in
ext/curl is procedural.
It needed an object, so it had the object API. Since people also asked
for procedural way to create it (no idea why, but they did) I've added
that too.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227