FAQ
Good afternoon,

Stas’s ‘Fix CURL file uploads’ RFC was approved and implemented in PHP 5.5:

https://wiki.php.net/rfc/curl-file-upload

It deals with the quite serious security issue caused by the behaviour ofCURLOPT_POSTFIELDS where the ‘@‘ prefix before a path specifies a file upload, making it unsafe to pass user data to CURLOPT_POSTFIELDS without checking for ‘@‘ first. It fixes this by adding a new way to specify a file (the CURLFile object) and by adding a new option, CURLOPT_SAFE_UPLOAD, which can be set to true (but is false by default) which disables the ‘@‘ prefix.

What I’m wondering about is the status of the default value of the CURLOPT_SAFE_UPLOAD constant in the PHP-5.6 branch. The RFC specifies that it should be set to true by default in PHP 5.6, but I don’t know if this has actually been implemented. I can’t understand the cURL source well enough to see if this is the case. Could someone inform me?

If it’s still false, I think it is imperative that we make sure the it is true by default by the time PHP 5.6 is released. While this will break code that relied on ‘@‘, PHP 5.5 has been out for quite a while now, and the fix is very simple to implement. The very considerable security benefits trump the inconvenience of changing existing code here, IMHO. Existing code can be fixed very easily, either by using the CURLFile class if targeting only PHP 5.5+, or by setting CURLOPT_SAFE_UPLOAD to false, both of which are single-line changes.

So, does anyone know what the status in PHP-5.6 is?

Thanks!
--
Andrea Faulds
http://ajf.me/

Search Discussions

  • Chris Wright at May 31, 2014 at 4:43 pm
    Hi Andrea
    On 31 May 2014 15:19, Andrea Faulds wrote:
    Good afternoon,

    Stas’s ‘Fix CURL file uploads’ RFC was approved and implemented in PHP 5.5:

    https://wiki.php.net/rfc/curl-file-upload

    It deals with the quite serious security issue caused by the behaviour ofCURLOPT_POSTFIELDS where the ‘@‘ prefix before a path specifies a file upload, making it unsafe to pass user data to CURLOPT_POSTFIELDS without checking for ‘@‘ first. It fixes this by adding a new way to specify a file (the CURLFile object) and by adding a new option, CURLOPT_SAFE_UPLOAD, which can be set to true (but is false by default) which disables the ‘@‘ prefix.

    What I’m wondering about is the status of the default value of the CURLOPT_SAFE_UPLOAD constant in the PHP-5.6 branch. The RFC specifies that it should be set to true by default in PHP 5.6, but I don’t know if this has actually been implemented. I can’t understand the cURL source well enough to see if this is the case. Could someone inform me?
    It has been altered in 5.6 as specified. See:

    5.5: http://lxr.php.net/xref/PHP_5_5/ext/curl/interface.c#1806
    5.6: http://lxr.php.net/xref/PHP_5_6/ext/curl/interface.c#1798

    Details of the change have also been added to the UPGRADING notes for 5.6
    If it’s still false, I think it is imperative that we make sure the it is true by default by the time PHP 5.6 is released. While this will break code that relied on ‘@‘, PHP 5.5 has been out for quite a while now, and the fix is very simple to implement. The very considerable security benefits trump the inconvenience of changing existing code here, IMHO. Existing code can be fixed very easily, either by using the CURLFile class if targeting only PHP 5.5+, or by setting CURLOPT_SAFE_UPLOAD to false, both of which are single-line changes.

    So, does anyone know what the status in PHP-5.6 is?

    Thanks!
    --
    Andrea Faulds
    http://ajf.me/
    Thanks, Chris
  • Andrea Faulds at May 31, 2014 at 4:48 pm

    On 31 May 2014, at 17:43, Chris Wright wrote:

    It has been altered in 5.6 as specified. See:

    5.5: http://lxr.php.net/xref/PHP_5_5/ext/curl/interface.c#1806
    5.6: http://lxr.php.net/xref/PHP_5_6/ext/curl/interface.c#1798

    Details of the change have also been added to the UPGRADING notes for 5.6
    That’s great news, thanks!
    --
    Andrea Faulds
    http://ajf.me/

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-internals @
categoriesphp
postedMay 31, '14 at 2:19p
activeMay 31, '14 at 4:48p
posts3
users2
websitephp.net

2 users in discussion

Andrea Faulds: 2 posts Chris Wright: 1 post

People

Translate

site design / logo © 2022 Grokbase