Good afternoon,
Stas’s ‘Fix CURL file uploads’ RFC was approved and implemented in PHP 5.5:
https://wiki.php.net/rfc/curl-file-upload
It deals with the quite serious security issue caused by the behaviour ofCURLOPT_POSTFIELDS where the ‘@‘ prefix before a path specifies a file upload, making it unsafe to pass user data to CURLOPT_POSTFIELDS without checking for ‘@‘ first. It fixes this by adding a new way to specify a file (the CURLFile object) and by adding a new option, CURLOPT_SAFE_UPLOAD, which can be set to true (but is false by default) which disables the ‘@‘ prefix.
What I’m wondering about is the status of the default value of the CURLOPT_SAFE_UPLOAD constant in the PHP-5.6 branch. The RFC specifies that it should be set to true by default in PHP 5.6, but I don’t know if this has actually been implemented. I can’t understand the cURL source well enough to see if this is the case. Could someone inform me?
If it’s still false, I think it is imperative that we make sure the it is true by default by the time PHP 5.6 is released. While this will break code that relied on ‘@‘, PHP 5.5 has been out for quite a while now, and the fix is very simple to implement. The very considerable security benefits trump the inconvenience of changing existing code here, IMHO. Existing code can be fixed very easily, either by using the CURLFile class if targeting only PHP 5.5+, or by setting CURLOPT_SAFE_UPLOAD to false, both of which are single-line changes.
So, does anyone know what the status in PHP-5.6 is?
Thanks!
Andrea Faulds
http://ajf.me/
Hi Andrea
Good afternoon,
Stas’s ‘Fix CURL file uploads’ RFC was approved and implemented in PHP 5.5:
https://wiki.php.net/rfc/curl-file-upload
It deals with the quite serious security issue caused by the behaviour ofCURLOPT_POSTFIELDS where the ‘@‘ prefix before a path specifies a file upload, making it unsafe to pass user data to
CURLOPT_POSTFIELDSwithout checking for ‘@‘ first. It fixes this by adding a new way to specify a file (the CURLFile object) and by adding a new option, CURLOPT_SAFE_UPLOAD, which can be set to true (but is false by default) which disables the ‘@‘ prefix.What I’m wondering about is the status of the default value of the
CURLOPT_SAFE_UPLOADconstant in the PHP-5.6 branch. The RFC specifies that it should be set to true by default in PHP 5.6, but I don’t know if this has actually been implemented. I can’t understand the cURL source well enough to see if this is the case. Could someone inform me?
It has been altered in 5.6 as specified. See:
5.5: http://lxr.php.net/xref/PHP_5_5/ext/curl/interface.c#1806
5.6: http://lxr.php.net/xref/PHP_5_6/ext/curl/interface.c#1798
Details of the change have also been added to the UPGRADING notes for 5.6
If it’s still false, I think it is imperative that we make sure the it is true by default by the time PHP 5.6 is released. While this will break code that relied on ‘@‘, PHP 5.5 has been out for quite a while now, and the fix is very simple to implement. The very considerable security benefits trump the inconvenience of changing existing code here, IMHO. Existing code can be fixed very easily, either by using the CURLFile class if targeting only PHP 5.5+, or by setting
CURLOPT_SAFE_UPLOADto false, both of which are single-line changes.So, does anyone know what the status in PHP-5.6 is?
Thanks!
Andrea Faulds
http://ajf.me/
Thanks, Chris
It has been altered in 5.6 as specified. See:
5.5: http://lxr.php.net/xref/PHP_5_5/ext/curl/interface.c#1806
5.6: http://lxr.php.net/xref/PHP_5_6/ext/curl/interface.c#1798Details of the change have also been added to the UPGRADING notes for 5.6
That’s great news, thanks!
Andrea Faulds
http://ajf.me/