Merge fileupload fixes for PHP 5.3.x

author: Stefan 2010-03-25 08:41:33 +0100
committer: Stefan 2010-03-25 08:41:33 +0100
commit: 9a9d3bbb647ae2026d63ccce9d6db4b5c5c000b3 (patch)
tree: 24225966522e18a0e674816bb83ac2311359420f
parent: 799405fc1cad4bfa4fc386ea4e46cad25b515b1d (diff)
2 files changed, 51 insertions, 23 deletions
diff --git a/Changelog b/Changelog
index 4037981..7745542 100644
--- a/Changelog
+++ b/Changelog
@@ -10,6 +10,7 @@
    - Fixed error case handling in function_exists() PHP 5.3.x
    - Merged changes/fixes in import_request_variables()/extract() from upstream PHP
    - Fixed suhosin_header_handler to be PHP 5.3.x compatible
+    - Merge fixes and new features of PHP's file upload code to suhosin
 2009-08-15 - 0.9.29
diff --git a/rfc1867.c b/rfc1867.c
index 9e819c2..d523216 100644
--- a/rfc1867.c
+++ b/rfc1867.c
@@ -776,13 +776,15 @@ SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler)
        int str_len = 0, num_vars = 0, num_vars_max = 2*10, *len_list = NULL;
        char **val_list = NULL;
 #endif
-        zend_bool magic_quotes_gpc;
        multipart_buffer *mbuff;
        zval *array_ptr = (zval *) arg;
        int fd=-1;
        zend_llist header;
        void *event_extra_data = NULL;
+#if PHP_VERSION_ID >= 50302 || (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
+        int upload_cnt = INI_INT("max_file_uploads");
+#endif
+        
        SDEBUG("suhosin_rfc1867_handler");
        if (SG(request_info).content_length > SG(post_max_size)) {
@@ -792,6 +794,18 @@ SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler)
        /* Get the boundary */
        boundary = strstr(content_type_dup, "boundary");
+        if (!boundary) {
+                int content_type_len = strlen(content_type_dup);
+                char *content_type_lcase = estrndup(content_type_dup, content_type_len);
+                php_strtolower(content_type_lcase, content_type_len);
+                boundary = strstr(content_type_lcase, "boundary");
+                if (boundary) {
+                        boundary = content_type_dup + (boundary - content_type_lcase);
+                }
+                efree(content_type_lcase);
+        }
+        
        if (!boundary || !(boundary=strchr(boundary, '='))) {
                sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
                return;
@@ -973,7 +987,13 @@ SDEBUG("calling inputfilter");
                        /* If file_uploads=off, skip the file part */
                        if (!PG(file_uploads)) {
                                skip_upload = 1;
-                        }
+                        } 
+#if PHP_VERSION_ID >= 50302 || (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
+                        else if (upload_cnt <= 0) {
+                                        skip_upload = 1;
+                                        sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+                        }
+#endif
                        /* Return with an error if the posted data is garbled */
                        if (!param && !filename) {
@@ -1019,6 +1039,9 @@ SDEBUG("calling inputfilter");
                                
                                /* Handle file */
                                fd = php_open_temporary_fd(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
+#if PHP_VERSION_ID >= 50302 || (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
+                                upload_cnt--;
+#endif
                                if (fd==-1) {
                                        sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
                                        cancel_upload = UPLOAD_ERROR_E;
@@ -1075,12 +1098,12 @@ SDEBUG("calling inputfilter");
                                }
                                
                        
-                                if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {
+                                if (PG(upload_max_filesize) > 0 && total_bytes+blen > PG(upload_max_filesize)) {
 #if DEBUG_FILE_UPLOAD
                                        sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
 #endif
                                        cancel_upload = UPLOAD_ERROR_A;
-                                } else if (max_file_size && (total_bytes > max_file_size)) {
+                                } else if (max_file_size && (total_bytes+blen > max_file_size)) {
 #if DEBUG_FILE_UPLOAD
                                        sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
 #endif
@@ -1270,26 +1293,30 @@ filedone:
                        }
                        s = "";
-                        /* Initialize variables */
+                        {
-                        add_protected_variable(param TSRMLS_CC);
+                                /* store temp_filename as-is (without magic_quotes_gpc-ing it, in case upload_tmp_dir
+                                 * contains escapeable characters. escape only the variable name.) */
+                                zval zfilename;
-                        magic_quotes_gpc = PG(magic_quotes_gpc);
+                                /* Initialize variables */
-                        PG(magic_quotes_gpc) = 0;
+                                add_protected_variable(param TSRMLS_CC);
-                        /* if param is of form xxx[.*] this will cut it to xxx */
-                        if (!is_anonymous) {
+                                /* if param is of form xxx[.*] this will cut it to xxx */
-                                safe_php_register_variable(param, temp_filename, NULL, 1 TSRMLS_CC);
+                                if (!is_anonymous) {
-                        }
+                                        ZVAL_STRING(&zfilename, temp_filename, 1);
-        
+                                        safe_php_register_variable_ex(param, &zfilename, NULL, 1 TSRMLS_CC);
-                        /* Add $foo[tmp_name] */
+                                }
-                        if (is_arr_upload) {
-                                sprintf(lbuf, "%s[tmp_name][%s]", abuf, array_index);
-                        } else {
-                                sprintf(lbuf, "%s[tmp_name]", param);
-                        }
-                        add_protected_variable(lbuf TSRMLS_CC);
-                        register_http_post_files_variable(lbuf, temp_filename, http_post_files, 1 TSRMLS_CC);
-                        PG(magic_quotes_gpc) = magic_quotes_gpc;
+                                /* Add $foo[tmp_name] */
+                                if (is_arr_upload) {
+                                        sprintf(lbuf, "%s[tmp_name][%s]", abuf, array_index);
+                                } else {
+                                        sprintf(lbuf, "%s[tmp_name]", param);
+                                }
+                                add_protected_variable(lbuf TSRMLS_CC);
+                                ZVAL_STRING(&zfilename, temp_filename, 1);
+                                register_http_post_files_variable_ex(lbuf, &zfilename, http_post_files, 1 TSRMLS_CC);
+                        }
                        {
                                zval file_size, error_type;
author	Stefan	2010-03-25 08:41:33 +0100
committer	Stefan	2010-03-25 08:41:33 +0100
commit	9a9d3bbb647ae2026d63ccce9d6db4b5c5c000b3 (patch)
tree	24225966522e18a0e674816bb83ac2311359420f
parent	799405fc1cad4bfa4fc386ea4e46cad25b515b1d (diff)

diff --git a/Changelog b/Changelog index 4037981..7745542 100644 --- a/Changelog +++ b/Changelog
@@ -10,6 +10,7 @@
10	- Fixed error case handling in function_exists() PHP 5.3.x	10	- Fixed error case handling in function_exists() PHP 5.3.x
11	- Merged changes/fixes in import_request_variables()/extract() from upstream PHP	11	- Merged changes/fixes in import_request_variables()/extract() from upstream PHP
12	- Fixed suhosin_header_handler to be PHP 5.3.x compatible	12	- Fixed suhosin_header_handler to be PHP 5.3.x compatible
		13	- Merge fixes and new features of PHP's file upload code to suhosin
13		14
14	2009-08-15 - 0.9.29	15	2009-08-15 - 0.9.29
15		16


diff --git a/rfc1867.c b/rfc1867.c index 9e819c2..d523216 100644 --- a/rfc1867.c +++ b/rfc1867.c
@@ -776,13 +776,15 @@ SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler)
776	int str_len = 0, num_vars = 0, num_vars_max = 210, len_list = NULL;	776	int str_len = 0, num_vars = 0, num_vars_max = 210, len_list = NULL;
777	char **val_list = NULL;	777	char **val_list = NULL;
778	#endif	778	#endif
779	zend_bool magic_quotes_gpc;
780	multipart_buffer *mbuff;	779	multipart_buffer *mbuff;
781	zval array_ptr = (zval ) arg;	780	zval array_ptr = (zval ) arg;
782	int fd=-1;	781	int fd=-1;
783	zend_llist header;	782	zend_llist header;
784	void *event_extra_data = NULL;	783	void *event_extra_data = NULL;
785		784	#if PHP_VERSION_ID >= 50302 \|\| (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
		785	int upload_cnt = INI_INT("max_file_uploads");
		786	#endif
		787
786	SDEBUG("suhosin_rfc1867_handler");	788	SDEBUG("suhosin_rfc1867_handler");
787		789
788	if (SG(request_info).content_length > SG(post_max_size)) {	790	if (SG(request_info).content_length > SG(post_max_size)) {
@@ -792,6 +794,18 @@ SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler)
792		794
793	/* Get the boundary */	795	/* Get the boundary */
794	boundary = strstr(content_type_dup, "boundary");	796	boundary = strstr(content_type_dup, "boundary");
		797	if (!boundary) {
		798	int content_type_len = strlen(content_type_dup);
		799	char *content_type_lcase = estrndup(content_type_dup, content_type_len);
		800
		801	php_strtolower(content_type_lcase, content_type_len);
		802	boundary = strstr(content_type_lcase, "boundary");
		803	if (boundary) {
		804	boundary = content_type_dup + (boundary - content_type_lcase);
		805	}
		806	efree(content_type_lcase);
		807	}
		808
795	if (!boundary \|\| !(boundary=strchr(boundary, '='))) {	809	if (!boundary \|\| !(boundary=strchr(boundary, '='))) {
796	sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");	810	sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
797	return;	811	return;
@@ -973,7 +987,13 @@ SDEBUG("calling inputfilter");
973	/* If file_uploads=off, skip the file part */	987	/* If file_uploads=off, skip the file part */
974	if (!PG(file_uploads)) {	988	if (!PG(file_uploads)) {
975	skip_upload = 1;	989	skip_upload = 1;
976	}	990	}
		991	#if PHP_VERSION_ID >= 50302 \|\| (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
		992	else if (upload_cnt <= 0) {
		993	skip_upload = 1;
		994	sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
		995	}
		996	#endif
977		997
978	/* Return with an error if the posted data is garbled */	998	/* Return with an error if the posted data is garbled */
979	if (!param && !filename) {	999	if (!param && !filename) {
@@ -1019,6 +1039,9 @@ SDEBUG("calling inputfilter");
1019		1039
1020	/* Handle file */	1040	/* Handle file */
1021	fd = php_open_temporary_fd(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);	1041	fd = php_open_temporary_fd(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
		1042	#if PHP_VERSION_ID >= 50302 \|\| (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
		1043	upload_cnt--;
		1044	#endif
1022	if (fd==-1) {	1045	if (fd==-1) {
1023	sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");	1046	sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1024	cancel_upload = UPLOAD_ERROR_E;	1047	cancel_upload = UPLOAD_ERROR_E;
@@ -1075,12 +1098,12 @@ SDEBUG("calling inputfilter");
1075	}	1098	}
1076		1099
1077		1100
1078	if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {	1101	if (PG(upload_max_filesize) > 0 && total_bytes+blen > PG(upload_max_filesize)) {
1079	#if DEBUG_FILE_UPLOAD	1102	#if DEBUG_FILE_UPLOAD
1080	sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);	1103	sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1081	#endif	1104	#endif
1082	cancel_upload = UPLOAD_ERROR_A;	1105	cancel_upload = UPLOAD_ERROR_A;
1083	} else if (max_file_size && (total_bytes > max_file_size)) {	1106	} else if (max_file_size && (total_bytes+blen > max_file_size)) {
1084	#if DEBUG_FILE_UPLOAD	1107	#if DEBUG_FILE_UPLOAD
1085	sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);	1108	sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1086	#endif	1109	#endif
@@ -1270,26 +1293,30 @@ filedone:
1270	}	1293	}
1271	s = "";	1294	s = "";
1272		1295
1273	/* Initialize variables */	1296	{
1274	add_protected_variable(param TSRMLS_CC);	1297	/* store temp_filename as-is (without magic_quotes_gpc-ing it, in case upload_tmp_dir
		1298	* contains escapeable characters. escape only the variable name.) */
		1299	zval zfilename;
1275		1300
1276	magic_quotes_gpc = PG(magic_quotes_gpc);	1301	/* Initialize variables */
1277	PG(magic_quotes_gpc) = 0;	1302	add_protected_variable(param TSRMLS_CC);
1278	/* if param is of form xxx[.] this will cut it to xxx /	1303
1279	if (!is_anonymous) {	1304	/* if param is of form xxx[.] this will cut it to xxx /
1280	safe_php_register_variable(param, temp_filename, NULL, 1 TSRMLS_CC);	1305	if (!is_anonymous) {
1281	}	1306	ZVAL_STRING(&zfilename, temp_filename, 1);
1282		1307	safe_php_register_variable_ex(param, &zfilename, NULL, 1 TSRMLS_CC);
1283	/* Add $foo[tmp_name] */	1308	}
1284	if (is_arr_upload) {
1285	sprintf(lbuf, "%s[tmp_name][%s]", abuf, array_index);
1286	} else {
1287	sprintf(lbuf, "%s[tmp_name]", param);
1288	}
1289	add_protected_variable(lbuf TSRMLS_CC);
1290	register_http_post_files_variable(lbuf, temp_filename, http_post_files, 1 TSRMLS_CC);
1291		1309
1292	PG(magic_quotes_gpc) = magic_quotes_gpc;	1310	/* Add $foo[tmp_name] */
		1311	if (is_arr_upload) {
		1312	sprintf(lbuf, "%s[tmp_name][%s]", abuf, array_index);
		1313	} else {
		1314	sprintf(lbuf, "%s[tmp_name]", param);
		1315	}
		1316	add_protected_variable(lbuf TSRMLS_CC);
		1317	ZVAL_STRING(&zfilename, temp_filename, 1);
		1318	register_http_post_files_variable_ex(lbuf, &zfilename, http_post_files, 1 TSRMLS_CC);
		1319	}
1293		1320
1294	{	1321	{
1295	zval file_size, error_type;	1322	zval file_size, error_type;