Hi,
You're right the proposed implementation did not removed the issue but
was just changing the way to produce it and I agree that the most
secure way to do it would be as you suggested to add a separate option
but I see some issues that we will have.
Usually libcurl doesn't allow to call curl_easy_setopt with the same
option twice on the same easy handle, it will overwrite the data set
by the first call. php/cURL abstract multiple ways to send post data
all of them by the usage of CURLOPT_POSTFIELDS. When you set the
CURLOPT_POSTFIELD to an array using the php/curl api, php/curl will
internally use the CURLOPT_HTTPPOST option, and when you set the same
option to a string, it will call the CURLOPT_COPYPOSTFIELDS.
So first we will have to store the value of both CURLOPT_POSTFIELD and
CURLOPT_POSTFILEFIELD (or whatever we want to call it) so that we
always call CURLOPT_HTTPPOST once with the merge of the 2 options but
still, if someone do something like this
curl_setopt($ch, CURLOPT_POSTFIELD, 'foo=bar');
curl_setopt($ch, CURLOPT_POSTFILEFIELD, array('upload' => 'filename.jpg'));
This will not work because we need to use both CURLOPT_HTTPPOST and
CURLOPT_COPYPOSTFIELDS which are not compatible.
Idea on how we could solve this are welcome.
Thanks
Pierrick
On 28 December 2012 20:40, Stas Malyshev <smalys...@sugarcrm.com> wrote:
> Hi!
>
>> I know this topic was opened a long time ago, but I would like to get
>> it resolved before 5.5 got released.
>
> I agree, it looks like a place where we could use improvement, current
> API is kind of dangerous.
>
>> A last solution would be to something similar to libcurl curl_formadd
>> (this one could be added to the previous one so that the old way work
>> but there is a more secure way to do it) :
>>
>> curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array(
>> 'firstname' => 'pierrick',
>> 'lastname' => array(CURLFORM_CONTENTS => 'charron'),
>> 'lastname' => array(CURLFORM_FILENAME => 'name.png', CURLFORM_FILE
>> => '/home/pierrick/picture.png', CURLFORM_CONTENTTYPE => 'image/jpg')
>> );
>>
>> One thing we have to think about this solution is if at some point we
>> want to allow sending array via curl, will it conflict ?
>
> I don't think we would allow sending arrays through curl, however
> there's another problem - theoretically, if user can access the data you
> put in $lastname variable, in many contexts it's not hard to put an
> array there either - i.e. if you have a form that has element lastname
> that posts to $lastname and then you do:
>
> curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array(
> 'lastname' => $lastname,
> /// etc.
>
> Then you could also create a form that posts to lastname[filename] and
> simulate this array too. So it's not a complete solution. I'm thinking
> maybe using separate option for files and deprecating the current one
> may be better idea. Unless somebody has even better solution :)
>
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
