Hi all,
I know this topic was opened a long time ago, but I would like to get
it resolved before 5.5 got released.
One solution proposed by Richard Lynch was to add a new
CURLOPT_FILEFIELDS that takes an array of the parameters that are
supposed to be files, so the ones that are expected to have '@'. One
problem that we may have to deal with this solution is that the user
will have to add all the post params in 2 steps (first for the string
data and then for the files). Internally, libcurl only allow one call
to CURLOPT_HTTPPOST (second will override the first one), so it may
become unclear either the new data are appended, or overwrite the old
one.
An other solution proposed by Ángel González was to add a new option
to disable the '@' check, problem with this is that it will only
prevent uploading unwanted files if someone write something starting
with an '@', but it also disable completely the feature.
A last solution would be to something similar to libcurl curl_formadd
(this one could be added to the previous one so that the old way work
but there is a more secure way to do it) :
curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array(
'firstname' => 'pierrick',
'lastname' => array(CURLFORM_CONTENTS => 'charron'),
'lastname' => array(CURLFORM_FILENAME => 'name.png', CURLFORM_FILE
=> '/home/pierrick/picture.png', CURLFORM_CONTENTTYPE => 'image/jpg')
);
One thing we have to think about this solution is if at some point we
want to allow sending array via curl, will it conflict ?
Do someone have an other better idea ? Which one would you prefer and
see implemented ?
Thanks all for your inputs
Pierrick
On 11 March 2012 19:29, Stas Malyshev <smalys...@sugarcrm.com> wrote:
> Hi!
>
>> I'd sure like a PHP extension that didn't have this obvious and nasty bug:
>>
>> https://bugs.php.net/bug.php?id=46439
>
>
> This doesn't look good. Documentation does say the @ prefix exists, but it
> has very high potential of creating security holes for unsuspecting people.
> open_basedir would help limit the impact, but still it's not a good thing.
> Any ideas on fixing it without breaking the BC?
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
