summaryrefslogtreecommitdiff
path: root/rfc1867.c
diff options
context:
space:
mode:
authorBen Fuhrmannek2016-05-21 13:39:07 +0200
committerBen Fuhrmannek2016-05-21 13:39:07 +0200
commit81550450b59193c36118e402b6003a9d40f3ae09 (patch)
treeaebf81af0a2b80bc239e2dc6cc170414eac5b4c7 /rfc1867.c
parent31559eae6ca406b80cebf3b89279d6f7ffdbccf8 (diff)
post and file upload handling
Diffstat (limited to 'rfc1867.c')
-rw-r--r--rfc1867.c1370
1 files changed, 1370 insertions, 0 deletions
diff --git a/rfc1867.c b/rfc1867.c
new file mode 100644
index 0000000..8daa0e8
--- /dev/null
+++ b/rfc1867.c
@@ -0,0 +1,1370 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+
19
20 Note: The following code is based on main/rfc1867.c from PHP 7.
21 | Copyright (c) 1997-2016 The PHP Group |
22 Original PHP Version 7 Authors:
23 | Authors: Rasmus Lerdorf <rasmus@php.net> |
24 | Jani Taskinen <jani@php.net> |
25
26 */
27
28/* $Id$ */
29
30/*
31 * This product includes software developed by the Apache Group
32 * for use in the Apache HTTP server project (http://www.apache.org/).
33 *
34 */
35
36#include <stdio.h>
37#include "php.h"
38#include "php_open_temporary_file.h"
39#include "zend_globals.h"
40#include "php_globals.h"
41#include "php_variables.h"
42// #include "rfc1867.h"
43#include "suhosin_rfc1867.h"
44#include "php_suhosin7.h"
45#include "ext/standard/php_string.h"
46#include "ext/standard/php_smart_string.h"
47
48#if defined(PHP_WIN32) && !defined(HAVE_ATOLL)
49# define atoll(s) _atoi64(s)
50# define HAVE_ATOLL 1
51#endif
52
53#define DEBUG_FILE_UPLOAD ZEND_DEBUG
54
55static int dummy_encoding_translation(void)
56{
57 return 0;
58}
59
60static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop);
61static char *php_ap_getword_conf(const zend_encoding *encoding, char *str);
62
63static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
64static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
65static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
66static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
67static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
68static php_rfc1867_basename_t php_rfc1867_basename = NULL;
69
70#define php_rfc1867_callback suhosin_rfc1867_filter
71// PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
72
73static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection);
74
75/* The longest property name we use in an uploaded file array */
76#define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
77
78/* The longest anonymous name */
79#define MAX_SIZE_ANONNAME 33
80
81/* Errors */
82#define UPLOAD_ERROR_OK 0 /* File upload successful */
83#define UPLOAD_ERROR_A 1 /* Uploaded file exceeded upload_max_filesize */
84#define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
85#define UPLOAD_ERROR_C 3 /* Partially uploaded */
86#define UPLOAD_ERROR_D 4 /* No file uploaded */
87#define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
88#define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
89#define UPLOAD_ERROR_X 8 /* File upload stopped by extension */
90
91// void php_rfc1867_register_constants(void) /* {{{ */
92// {
93// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK", UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT);
94// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE", UPLOAD_ERROR_A, CONST_CS | CONST_PERSISTENT);
95// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
96// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
97// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
98// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
99// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
100// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
101// }
102/* }}} */
103
104static void normalize_protected_variable(char *varname) /* {{{ */
105{
106 char *s = varname, *index = NULL, *indexend = NULL, *p;
107
108 /* overjump leading space */
109 while (*s == ' ') {
110 s++;
111 }
112
113 /* and remove it */
114 if (s != varname) {
115 memmove(varname, s, strlen(s)+1);
116 }
117
118 for (p = varname; *p && *p != '['; p++) {
119 switch(*p) {
120 case ' ':
121 case '.':
122 *p = '_';
123 break;
124 }
125 }
126
127 /* find index */
128 index = strchr(varname, '[');
129 if (index) {
130 index++;
131 s = index;
132 } else {
133 return;
134 }
135
136 /* done? */
137 while (index) {
138 while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
139 index++;
140 }
141 indexend = strchr(index, ']');
142 indexend = indexend ? indexend + 1 : index + strlen(index);
143
144 if (s != index) {
145 memmove(s, index, strlen(index)+1);
146 s += indexend-index;
147 } else {
148 s = indexend;
149 }
150
151 if (*s == '[') {
152 s++;
153 index = s;
154 } else {
155 index = NULL;
156 }
157 }
158 *s = '\0';
159}
160/* }}} */
161
162static void add_protected_variable(char *varname) /* {{{ */
163{
164 normalize_protected_variable(varname);
165 zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname));
166}
167/* }}} */
168
169static zend_bool is_protected_variable(char *varname) /* {{{ */
170{
171 normalize_protected_variable(varname);
172 return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname));
173}
174/* }}} */
175
176static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection) /* {{{ */
177{
178 if (override_protection || !is_protected_variable(var)) {
179 php_register_variable_safe(var, strval, val_len, track_vars_array);
180 }
181}
182/* }}} */
183
184static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection) /* {{{ */
185{
186 if (override_protection || !is_protected_variable(var)) {
187 php_register_variable_ex(var, val, track_vars_array);
188 }
189}
190/* }}} */
191
192static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
193{
194 safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection);
195}
196/* }}} */
197
198static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
199{
200 safe_php_register_variable_ex(var, val, http_post_files, override_protection);
201}
202/* }}} */
203
204static int unlink_filename(zval *el) /* {{{ */
205{
206 zend_string *filename = Z_STR_P(el);
207 VCWD_UNLINK(ZSTR_VAL(filename));
208 return 0;
209}
210/* }}} */
211
212
213static void free_filename(zval *el) {
214 zend_string *filename = Z_STR_P(el);
215 zend_string_release(filename);
216}
217
218PHPAPI void destroy_uploaded_files_hash(void) /* {{{ */
219{
220 zend_hash_apply(SG(rfc1867_uploaded_files), unlink_filename);
221 zend_hash_destroy(SG(rfc1867_uploaded_files));
222 FREE_HASHTABLE(SG(rfc1867_uploaded_files));
223}
224/* }}} */
225
226/* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
227
228#define FILLUNIT (1024 * 5)
229
230typedef struct {
231
232 /* read buffer */
233 char *buffer;
234 char *buf_begin;
235 int bufsize;
236 int bytes_in_buffer;
237
238 /* boundary info */
239 char *boundary;
240 char *boundary_next;
241 int boundary_next_len;
242
243 const zend_encoding *input_encoding;
244 const zend_encoding **detect_order;
245 size_t detect_order_size;
246} multipart_buffer;
247
248typedef struct {
249 char *key;
250 char *value;
251} mime_header_entry;
252
253/*
254 * Fill up the buffer with client data.
255 * Returns number of bytes added to buffer.
256 */
257static int fill_buffer(multipart_buffer *self)
258{
259 int bytes_to_read, total_read = 0, actual_read = 0;
260
261 /* shift the existing data if necessary */
262 if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
263 memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
264 }
265
266 self->buf_begin = self->buffer;
267
268 /* calculate the free space in the buffer */
269 bytes_to_read = self->bufsize - self->bytes_in_buffer;
270
271 /* read the required number of bytes */
272 while (bytes_to_read > 0) {
273
274 char *buf = self->buffer + self->bytes_in_buffer;
275
276 actual_read = (int)sapi_module.read_post(buf, bytes_to_read);
277
278 /* update the buffer length */
279 if (actual_read > 0) {
280 self->bytes_in_buffer += actual_read;
281 SG(read_post_bytes) += actual_read;
282 total_read += actual_read;
283 bytes_to_read -= actual_read;
284 } else {
285 break;
286 }
287 }
288
289 return total_read;
290}
291
292/* eof if we are out of bytes, or if we hit the final boundary */
293static int multipart_buffer_eof(multipart_buffer *self)
294{
295 if ( (self->bytes_in_buffer == 0 && fill_buffer(self) < 1) ) {
296 return 1;
297 } else {
298 return 0;
299 }
300}
301
302/* create new multipart_buffer structure */
303static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len)
304{
305 multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
306
307 int minsize = boundary_len + 6;
308 if (minsize < FILLUNIT) minsize = FILLUNIT;
309
310 self->buffer = (char *) ecalloc(1, minsize + 1);
311 self->bufsize = minsize;
312
313 spprintf(&self->boundary, 0, "--%s", boundary);
314
315 self->boundary_next_len = (int)spprintf(&self->boundary_next, 0, "\n--%s", boundary);
316
317 self->buf_begin = self->buffer;
318 self->bytes_in_buffer = 0;
319
320 if (php_rfc1867_encoding_translation()) {
321 php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size);
322 } else {
323 self->detect_order = NULL;
324 self->detect_order_size = 0;
325 }
326
327 self->input_encoding = NULL;
328
329 return self;
330}
331
332/*
333 * Gets the next CRLF terminated line from the input buffer.
334 * If it doesn't find a CRLF, and the buffer isn't completely full, returns
335 * NULL; otherwise, returns the beginning of the null-terminated line,
336 * minus the CRLF.
337 *
338 * Note that we really just look for LF terminated lines. This works
339 * around a bug in internet explorer for the macintosh which sends mime
340 * boundaries that are only LF terminated when you use an image submit
341 * button in a multipart/form-data form.
342 */
343static char *next_line(multipart_buffer *self)
344{
345 /* look for LF in the data */
346 char* line = self->buf_begin;
347 char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
348
349 if (ptr) { /* LF found */
350
351 /* terminate the string, remove CRLF */
352 if ((ptr - line) > 0 && *(ptr-1) == '\r') {
353 *(ptr-1) = 0;
354 } else {
355 *ptr = 0;
356 }
357
358 /* bump the pointer */
359 self->buf_begin = ptr + 1;
360 self->bytes_in_buffer -= (self->buf_begin - line);
361
362 } else { /* no LF found */
363
364 /* buffer isn't completely full, fail */
365 if (self->bytes_in_buffer < self->bufsize) {
366 return NULL;
367 }
368 /* return entire buffer as a partial line */
369 line[self->bufsize] = 0;
370 self->buf_begin = ptr;
371 self->bytes_in_buffer = 0;
372 }
373
374 return line;
375}
376
377/* Returns the next CRLF terminated line from the client */
378static char *get_line(multipart_buffer *self)
379{
380 char* ptr = next_line(self);
381
382 if (!ptr) {
383 fill_buffer(self);
384 ptr = next_line(self);
385 }
386
387 return ptr;
388}
389
390/* Free header entry */
391static void php_free_hdr_entry(mime_header_entry *h)
392{
393 if (h->key) {
394 efree(h->key);
395 }
396 if (h->value) {
397 efree(h->value);
398 }
399}
400
401/* finds a boundary */
402static int find_boundary(multipart_buffer *self, char *boundary)
403{
404 char *line;
405
406 /* loop thru lines */
407 while( (line = get_line(self)) )
408 {
409 /* finished if we found the boundary */
410 if (!strcmp(line, boundary)) {
411 return 1;
412 }
413 }
414
415 /* didn't find the boundary */
416 return 0;
417}
418
419/* parse headers */
420static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
421{
422 char *line;
423 mime_header_entry entry = {0};
424 smart_string buf_value = {0};
425 char *key = NULL;
426 size_t newlines = 0;
427
428 /* didn't find boundary, abort */
429 if (!find_boundary(self, self->boundary)) {
430 return 0;
431 }
432
433 /* get lines of text, or CRLF_CRLF */
434
435 while ((line = get_line(self)) && line[0] != '\0') {
436 /* add header to table */
437 char *value = NULL;
438
439 if (php_rfc1867_encoding_translation()) {
440 self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);
441 }
442
443 /* space in the beginning means same header */
444 if (!isspace(line[0])) {
445 value = strchr(line, ':');
446 }
447
448 if (value) {
449 if (buf_value.c && key) {
450 /* new entry, add the old one to the list */
451 smart_string_0(&buf_value);
452 entry.key = key;
453 entry.value = buf_value.c;
454 zend_llist_add_element(header, &entry);
455 buf_value.c = NULL;
456 key = NULL;
457 }
458
459 *value = '\0';
460 do { value++; } while (isspace(*value));
461
462 key = estrdup(line);
463 smart_string_appends(&buf_value, value);
464 newlines = 0;
465 } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
466 newlines++;
467 if (newlines > SUHOSIN7_G(upload_max_newlines)) {
468 SUHOSIN7_G(abort_request) = 1;
469 suhosin_log(S_FILES, "configured maximum number of newlines in RFC1867 MIME headers limit exceeded - dropping rest of upload");
470 return 0;
471 }
472 smart_string_appends(&buf_value, line);
473
474 } else {
475 continue;
476 }
477 }
478
479 if (buf_value.c && key) {
480 /* add the last one to the list */
481 smart_string_0(&buf_value);
482 entry.key = key;
483 entry.value = buf_value.c;
484 zend_llist_add_element(header, &entry);
485 }
486
487 return 1;
488}
489
490static char *php_mime_get_hdr_value(zend_llist header, char *key)
491{
492 mime_header_entry *entry;
493
494 if (key == NULL) {
495 return NULL;
496 }
497
498 entry = zend_llist_get_first(&header);
499 while (entry) {
500 if (!strcasecmp(entry->key, key)) {
501 return entry->value;
502 }
503 entry = zend_llist_get_next(&header);
504 }
505
506 return NULL;
507}
508
509static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop)
510{
511 char *pos = *line, quote;
512 char *res;
513
514 while (*pos && *pos != stop) {
515 if ((quote = *pos) == '"' || quote == '\'') {
516 ++pos;
517 while (*pos && *pos != quote) {
518 if (*pos == '\\' && pos[1] && pos[1] == quote) {
519 pos += 2;
520 } else {
521 ++pos;
522 }
523 }
524 if (*pos) {
525 ++pos;
526 }
527 } else ++pos;
528 }
529 if (*pos == '\0') {
530 res = estrdup(*line);
531 *line += strlen(*line);
532 return res;
533 }
534
535 res = estrndup(*line, pos - *line);
536
537 while (*pos == stop) {
538 ++pos;
539 }
540
541 *line = pos;
542 return res;
543}
544
545static char *substring_conf(char *start, int len, char quote)
546{
547 char *result = emalloc(len + 1);
548 char *resp = result;
549 int i;
550
551 for (i = 0; i < len && start[i] != quote; ++i) {
552 if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
553 *resp++ = start[++i];
554 } else {
555 *resp++ = start[i];
556 }
557 }
558
559 *resp = '\0';
560 return result;
561}
562
563static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
564{
565 while (*str && isspace(*str)) {
566 ++str;
567 }
568
569 if (!*str) {
570 return estrdup("");
571 }
572
573 if (*str == '"' || *str == '\'') {
574 char quote = *str;
575
576 str++;
577 return substring_conf(str, (int)strlen(str), quote);
578 } else {
579 char *strend = str;
580
581 while (*strend && !isspace(*strend)) {
582 ++strend;
583 }
584 return substring_conf(str, strend - str, 0);
585 }
586}
587
588static char *php_ap_basename(const zend_encoding *encoding, char *path)
589{
590 char *s = strrchr(path, '\\');
591 char *s2 = strrchr(path, '/');
592
593 if (s && s2) {
594 if (s > s2) {
595 ++s;
596 } else {
597 s = ++s2;
598 }
599 return s;
600 } else if (s) {
601 return ++s;
602 } else if (s2) {
603 return ++s2;
604 }
605 return path;
606}
607
608/*
609 * Search for a string in a fixed-length byte string.
610 * If partial is true, partial matches are allowed at the end of the buffer.
611 * Returns NULL if not found, or a pointer to the start of the first match.
612 */
613static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
614{
615 int len = haystacklen;
616 char *ptr = haystack;
617
618 /* iterate through first character matches */
619 while( (ptr = memchr(ptr, needle[0], len)) ) {
620
621 /* calculate length after match */
622 len = haystacklen - (ptr - (char *)haystack);
623
624 /* done if matches up to capacity of buffer */
625 if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
626 break;
627 }
628
629 /* next character */
630 ptr++; len--;
631 }
632
633 return ptr;
634}
635
636/* read until a boundary condition */
637static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
638{
639 size_t len, max;
640 char *bound;
641
642 /* fill buffer if needed */
643 if (bytes > self->bytes_in_buffer) {
644 fill_buffer(self);
645 }
646
647 /* look for a potential boundary match, only read data up to that point */
648 if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
649 max = bound - self->buf_begin;
650 if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
651 *end = 1;
652 }
653 } else {
654 max = self->bytes_in_buffer;
655 }
656
657 /* maximum number of bytes we are reading */
658 len = max < bytes-1 ? max : bytes-1;
659
660 /* if we read any data... */
661 if (len > 0) {
662
663 /* copy the data */
664 memcpy(buf, self->buf_begin, len);
665 buf[len] = 0;
666
667 if (bound && len > 0 && buf[len-1] == '\r') {
668 buf[--len] = 0;
669 }
670
671 /* update the buffer */
672 self->bytes_in_buffer -= (int)len;
673 self->buf_begin += len;
674 }
675
676 return (int)len;
677}
678
679/*
680 XXX: this is horrible memory-usage-wise, but we only expect
681 to do this on small pieces of form data.
682*/
683static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
684{
685 char buf[FILLUNIT], *out=NULL;
686 int total_bytes=0, read_bytes=0;
687
688 while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
689 out = erealloc(out, total_bytes + read_bytes + 1);
690 memcpy(out + total_bytes, buf, read_bytes);
691 total_bytes += read_bytes;
692 }
693
694 if (out) {
695 out[total_bytes] = '\0';
696 }
697 *len = total_bytes;
698
699 return out;
700}
701/* }}} */
702
703/*
704 * The combined READER/HANDLER
705 *
706 */
707
708SAPI_API SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler) /* {{{ */
709{
710 char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
711 char *lbuf = NULL, *abuf = NULL;
712 zend_string *temp_filename = NULL;
713 int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
714 int64_t total_bytes = 0, max_file_size = 0;
715 int skip_upload = 0, anonindex = 0, is_anonymous;
716 HashTable *uploaded_files = NULL;
717 multipart_buffer *mbuff;
718 zval *array_ptr = (zval *) arg;
719 int fd = -1;
720 zend_llist header;
721 void *event_extra_data = NULL;
722 unsigned int llen = 0;
723 int upload_cnt = INI_INT("max_file_uploads");
724 const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
725 php_rfc1867_getword_t getword;
726 php_rfc1867_getword_conf_t getword_conf;
727 php_rfc1867_basename_t _basename;
728 zend_long count = 0;
729
730 if (php_rfc1867_encoding_translation() && internal_encoding) {
731 getword = php_rfc1867_getword;
732 getword_conf = php_rfc1867_getword_conf;
733 _basename = php_rfc1867_basename;
734 } else {
735 getword = php_ap_getword;
736 getword_conf = php_ap_getword_conf;
737 _basename = php_ap_basename;
738 }
739
740 if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
741 sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size));
742 return;
743 }
744
745 /* Get the boundary */
746 boundary = strstr(content_type_dup, "boundary");
747 if (!boundary) {
748 int content_type_len = (int)strlen(content_type_dup);
749 char *content_type_lcase = estrndup(content_type_dup, content_type_len);
750
751 php_strtolower(content_type_lcase, content_type_len);
752 boundary = strstr(content_type_lcase, "boundary");
753 if (boundary) {
754 boundary = content_type_dup + (boundary - content_type_lcase);
755 }
756 efree(content_type_lcase);
757 }
758
759 if (!boundary || !(boundary = strchr(boundary, '='))) {
760 sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
761 return;
762 }
763
764 boundary++;
765 boundary_len = (int)strlen(boundary);
766
767 if (boundary[0] == '"') {
768 boundary++;
769 boundary_end = strchr(boundary, '"');
770 if (!boundary_end) {
771 sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
772 return;
773 }
774 } else {
775 /* search for the end of the boundary */
776 boundary_end = strpbrk(boundary, ",;");
777 }
778 if (boundary_end) {
779 boundary_end[0] = '\0';
780 boundary_len = boundary_end-boundary;
781 }
782
783 /* Initialize the buffer */
784 if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
785 sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
786 return;
787 }
788
789 /* Initialize $_FILES[] */
790 zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);
791
792 ALLOC_HASHTABLE(uploaded_files);
793 zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
794 SG(rfc1867_uploaded_files) = uploaded_files;
795
796 if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) {
797 /* php_auto_globals_create_files() might have already done that */
798 array_init(&PG(http_globals)[TRACK_VARS_FILES]);
799 }
800
801 zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
802
803 if (php_rfc1867_callback != NULL) {
804 multipart_event_start event_start;
805
806 event_start.content_length = SG(request_info).content_length;
807 if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) {
808 goto fileupload_done;
809 }
810 }
811
812 while (!multipart_buffer_eof(mbuff))
813 {
814 char buff[FILLUNIT];
815 char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
816 size_t blen = 0, wlen = 0;
817 zend_off_t offset;
818
819 zend_llist_clean(&header);
820
821 if (!multipart_buffer_headers(mbuff, &header)) {
822 goto fileupload_done;
823 }
824
825 if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
826 char *pair = NULL;
827 int end = 0;
828
829 while (isspace(*cd)) {
830 ++cd;
831 }
832
833 while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';')))
834 {
835 char *key = NULL, *word = pair;
836
837 while (isspace(*cd)) {
838 ++cd;
839 }
840
841 if (strchr(pair, '=')) {
842 key = getword(mbuff->input_encoding, &pair, '=');
843
844 if (!strcasecmp(key, "name")) {
845 if (param) {
846 efree(param);
847 }
848 param = getword_conf(mbuff->input_encoding, pair);
849 if (mbuff->input_encoding && internal_encoding) {
850 unsigned char *new_param;
851 size_t new_param_len;
852 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) {
853 efree(param);
854 param = (char *)new_param;
855 }
856 }
857 } else if (!strcasecmp(key, "filename")) {
858 if (filename) {
859 efree(filename);
860 }
861 filename = getword_conf(mbuff->input_encoding, pair);
862 if (mbuff->input_encoding && internal_encoding) {
863 unsigned char *new_filename;
864 size_t new_filename_len;
865 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) {
866 efree(filename);
867 filename = (char *)new_filename;
868 }
869 }
870 }
871 }
872 if (key) {
873 efree(key);
874 }
875 efree(word);
876 }
877
878 /* Normal form variable, safe to read all data into memory */
879 if (!filename && param) {
880 size_t value_len;
881 char *value = multipart_buffer_read_body(mbuff, &value_len);
882 size_t new_val_len; /* Dummy variable */
883
884 if (!value) {
885 value = estrdup("");
886 value_len = 0;
887 }
888
889 if (mbuff->input_encoding && internal_encoding) {
890 unsigned char *new_value;
891 size_t new_value_len;
892 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) {
893 efree(value);
894 value = (char *)new_value;
895 value_len = new_value_len;
896 }
897 }
898
899 if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) {
900 if (php_rfc1867_callback != NULL) {
901 multipart_event_formdata event_formdata;
902 size_t newlength = new_val_len;
903
904 event_formdata.post_bytes_processed = SG(read_post_bytes);
905 event_formdata.name = param;
906 event_formdata.value = &value;
907 event_formdata.length = new_val_len;
908 event_formdata.newlength = &newlength;
909 if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) {
910 efree(param);
911 efree(value);
912 continue;
913 }
914 new_val_len = newlength;
915 }
916 safe_php_register_variable(param, value, new_val_len, array_ptr, 0);
917 } else {
918 if (count == PG(max_input_vars) + 1) {
919 php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
920 }
921
922 if (php_rfc1867_callback != NULL) {
923 multipart_event_formdata event_formdata;
924
925 event_formdata.post_bytes_processed = SG(read_post_bytes);
926 event_formdata.name = param;
927 event_formdata.value = &value;
928 event_formdata.length = value_len;
929 event_formdata.newlength = NULL;
930 php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data);
931 }
932 }
933
934 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
935#ifdef HAVE_ATOLL
936 max_file_size = atoll(value);
937#else
938 max_file_size = strtoll(value, NULL, 10);
939#endif
940 }
941
942 efree(param);
943 efree(value);
944 continue;
945 }
946
947 /* If file_uploads=off, skip the file part */
948 if (!PG(file_uploads)) {
949 skip_upload = 1;
950 } else if (upload_cnt <= 0) {
951 skip_upload = 1;
952 sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
953 }
954
955 /* Return with an error if the posted data is garbled */
956 if (!param && !filename) {
957 sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
958 goto fileupload_done;
959 }
960
961 if (!param) {
962 is_anonymous = 1;
963 param = emalloc(MAX_SIZE_ANONNAME);
964 snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
965 } else {
966 is_anonymous = 0;
967 }
968
969 /* New Rule: never repair potential malicious user input */
970 if (!skip_upload) {
971 long c = 0;
972 tmp = param;
973
974 while (*tmp) {
975 if (*tmp == '[') {
976 c++;
977 } else if (*tmp == ']') {
978 c--;
979 if (tmp[1] && tmp[1] != '[') {
980 skip_upload = 1;
981 break;
982 }
983 }
984 if (c < 0) {
985 skip_upload = 1;
986 break;
987 }
988 tmp++;
989 }
990 /* Brackets should always be closed */
991 if(c != 0) {
992 skip_upload = 1;
993 }
994 }
995
996 total_bytes = cancel_upload = 0;
997 temp_filename = NULL;
998 fd = -1;
999
1000 if (!skip_upload && php_rfc1867_callback != NULL) {
1001 multipart_event_file_start event_file_start;
1002
1003 event_file_start.post_bytes_processed = SG(read_post_bytes);
1004 event_file_start.name = param;
1005 event_file_start.filename = &filename;
1006 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) {
1007 temp_filename = NULL;
1008 efree(param);
1009 efree(filename);
1010 continue;
1011 }
1012 }
1013
1014 if (skip_upload) {
1015 efree(param);
1016 efree(filename);
1017 continue;
1018 }
1019
1020 if (filename[0] == '\0') {
1021#if DEBUG_FILE_UPLOAD
1022 sapi_module.sapi_error(E_NOTICE, "No file uploaded");
1023#endif
1024 cancel_upload = UPLOAD_ERROR_D;
1025 }
1026
1027 offset = 0;
1028 end = 0;
1029
1030 if (!cancel_upload) {
1031 /* only bother to open temp file if we have data */
1032 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1033#if DEBUG_FILE_UPLOAD
1034 if (blen > 0) {
1035#else
1036 /* in non-debug mode we have no problem with 0-length files */
1037 {
1038#endif
1039 fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1);
1040 upload_cnt--;
1041 if (fd == -1) {
1042 sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1043 cancel_upload = UPLOAD_ERROR_E;
1044 }
1045 }
1046 }
1047
1048 while (!cancel_upload && (blen > 0))
1049 {
1050 if (php_rfc1867_callback != NULL) {
1051 multipart_event_file_data event_file_data;
1052
1053 event_file_data.post_bytes_processed = SG(read_post_bytes);
1054 event_file_data.offset = offset;
1055 event_file_data.data = buff;
1056 event_file_data.length = blen;
1057 event_file_data.newlength = &blen;
1058 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) {
1059 cancel_upload = UPLOAD_ERROR_X;
1060 continue;
1061 }
1062 }
1063
1064 if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) {
1065#if DEBUG_FILE_UPLOAD
1066 sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1067#endif
1068 cancel_upload = UPLOAD_ERROR_A;
1069 } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
1070#if DEBUG_FILE_UPLOAD
1071 sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1072#endif
1073 cancel_upload = UPLOAD_ERROR_B;
1074 } else if (blen > 0) {
1075#ifdef PHP_WIN32
1076 wlen = write(fd, buff, (unsigned int)blen);
1077#else
1078 wlen = write(fd, buff, blen);
1079#endif
1080
1081 if (wlen == -1) {
1082 /* write failed */
1083#if DEBUG_FILE_UPLOAD
1084 sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1085#endif
1086 cancel_upload = UPLOAD_ERROR_F;
1087 } else if (wlen < blen) {
1088#if DEBUG_FILE_UPLOAD
1089 sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
1090#endif
1091 cancel_upload = UPLOAD_ERROR_F;
1092 } else {
1093 total_bytes += wlen;
1094 }
1095 offset += wlen;
1096 }
1097
1098 /* read data for next iteration */
1099 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1100 }
1101
1102 if (fd != -1) { /* may not be initialized if file could not be created */
1103 close(fd);
1104 }
1105
1106 if (!cancel_upload && !end) {
1107#if DEBUG_FILE_UPLOAD
1108 sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1109#endif
1110 cancel_upload = UPLOAD_ERROR_C;
1111 }
1112#if DEBUG_FILE_UPLOAD
1113 if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1114 sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1115 cancel_upload = 5;
1116 }
1117#endif
1118 if (php_rfc1867_callback != NULL) {
1119 multipart_event_file_end event_file_end;
1120
1121 event_file_end.post_bytes_processed = SG(read_post_bytes);
1122 event_file_end.temp_filename = ZSTR_VAL(temp_filename);
1123 event_file_end.cancel_upload = cancel_upload;
1124 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data) == FAILURE) {
1125 cancel_upload = UPLOAD_ERROR_X;
1126 }
1127 }
1128
1129 if (cancel_upload) {
1130 if (temp_filename) {
1131 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
1132 unlink(ZSTR_VAL(temp_filename));
1133 }
1134 zend_string_release(temp_filename);
1135 }
1136 temp_filename = NULL;
1137 } else {
1138 zend_hash_add_ptr(SG(rfc1867_uploaded_files), temp_filename, temp_filename);
1139 }
1140
1141 /* is_arr_upload is true when name of file upload field
1142 * ends in [.*]
1143 * start_arr is set to point to 1st [ */
1144 is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1145
1146 if (is_arr_upload) {
1147 array_len = (int)strlen(start_arr);
1148 if (array_index) {
1149 efree(array_index);
1150 }
1151 array_index = estrndup(start_arr + 1, array_len - 2);
1152 }
1153
1154 /* Add $foo_name */
1155 if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1156 llen = (int)strlen(param);
1157 lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1158 llen += MAX_SIZE_OF_INDEX + 1;
1159 }
1160
1161 if (is_arr_upload) {
1162 if (abuf) efree(abuf);
1163 abuf = estrndup(param, strlen(param)-array_len);
1164 snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1165 } else {
1166 snprintf(lbuf, llen, "%s_name", param);
1167 }
1168
1169 /* The \ check should technically be needed for win32 systems only where
1170 * it is a valid path separator. However, IE in all it's wisdom always sends
1171 * the full path of the file on the user's filesystem, which means that unless
1172 * the user does basename() they get a bogus file name. Until IE's user base drops
1173 * to nill or problem is fixed this code must remain enabled for all systems. */
1174 s = _basename(internal_encoding, filename);
1175 if (!s) {
1176 s = filename;
1177 }
1178
1179 if (!is_anonymous) {
1180 safe_php_register_variable(lbuf, s, strlen(s), NULL, 0);
1181 }
1182
1183 /* Add $foo[name] */
1184 if (is_arr_upload) {
1185 snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1186 } else {
1187 snprintf(lbuf, llen, "%s[name]", param);
1188 }
1189 register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0);
1190 efree(filename);
1191 s = NULL;
1192
1193 /* Possible Content-Type: */
1194 if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1195 cd = "";
1196 } else {
1197 /* fix for Opera 6.01 */
1198 s = strchr(cd, ';');
1199 if (s != NULL) {
1200 *s = '\0';
1201 }
1202 }
1203
1204 /* Add $foo_type */
1205 if (is_arr_upload) {
1206 snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index);
1207 } else {
1208 snprintf(lbuf, llen, "%s_type", param);
1209 }
1210 if (!is_anonymous) {
1211 safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0);
1212 }
1213
1214 /* Add $foo[type] */
1215 if (is_arr_upload) {
1216 snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1217 } else {
1218 snprintf(lbuf, llen, "%s[type]", param);
1219 }
1220 register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0);
1221
1222 /* Restore Content-Type Header */
1223 if (s != NULL) {
1224 *s = ';';
1225 }
1226 s = "";
1227
1228 {
1229 /* store temp_filename as-is (in case upload_tmp_dir
1230 * contains escapeable characters. escape only the variable name.) */
1231 zval zfilename;
1232
1233 /* Initialize variables */
1234 add_protected_variable(param);
1235
1236 /* if param is of form xxx[.*] this will cut it to xxx */
1237 if (!is_anonymous) {
1238 if (temp_filename) {
1239 ZVAL_STR_COPY(&zfilename, temp_filename);
1240 } else {
1241 ZVAL_EMPTY_STRING(&zfilename);
1242 }
1243 safe_php_register_variable_ex(param, &zfilename, NULL, 1);
1244 }
1245
1246 /* Add $foo[tmp_name] */
1247 if (is_arr_upload) {
1248 snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1249 } else {
1250 snprintf(lbuf, llen, "%s[tmp_name]", param);
1251 }
1252 add_protected_variable(lbuf);
1253 if (temp_filename) {
1254 ZVAL_STR_COPY(&zfilename, temp_filename);
1255 } else {
1256 ZVAL_EMPTY_STRING(&zfilename);
1257 }
1258 register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1);
1259 }
1260
1261 {
1262 zval file_size, error_type;
1263 int size_overflow = 0;
1264 char file_size_buf[65];
1265
1266 ZVAL_LONG(&error_type, cancel_upload);
1267
1268 /* Add $foo[error] */
1269 if (cancel_upload) {
1270 ZVAL_LONG(&file_size, 0);
1271 } else {
1272 if (total_bytes > ZEND_LONG_MAX) {
1273#ifdef PHP_WIN32
1274 if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1275 file_size_buf[0] = '0';
1276 file_size_buf[1] = '\0';
1277 }
1278#else
1279 {
1280 int __len = snprintf(file_size_buf, 65, "%lld", total_bytes);
1281 file_size_buf[__len] = '\0';
1282 }
1283#endif
1284 size_overflow = 1;
1285
1286 } else {
1287 ZVAL_LONG(&file_size, total_bytes);
1288 }
1289 }
1290
1291 if (is_arr_upload) {
1292 snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1293 } else {
1294 snprintf(lbuf, llen, "%s[error]", param);
1295 }
1296 register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0);
1297
1298 /* Add $foo_size */
1299 if (is_arr_upload) {
1300 snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index);
1301 } else {
1302 snprintf(lbuf, llen, "%s_size", param);
1303 }
1304 if (!is_anonymous) {
1305 if (size_overflow) {
1306 ZVAL_STRING(&file_size, file_size_buf);
1307 }
1308 safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow);
1309 }
1310
1311 /* Add $foo[size] */
1312 if (is_arr_upload) {
1313 snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1314 } else {
1315 snprintf(lbuf, llen, "%s[size]", param);
1316 }
1317 if (size_overflow) {
1318 ZVAL_STRING(&file_size, file_size_buf);
1319 }
1320 register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow);
1321 }
1322 efree(param);
1323 }
1324 }
1325
1326fileupload_done:
1327 if (php_rfc1867_callback != NULL) {
1328 multipart_event_end event_end;
1329
1330 event_end.post_bytes_processed = SG(read_post_bytes);
1331 php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data);
1332 }
1333
1334 if (lbuf) efree(lbuf);
1335 if (abuf) efree(abuf);
1336 if (array_index) efree(array_index);
1337 zend_hash_destroy(&PG(rfc1867_protected_variables));
1338 zend_llist_destroy(&header);
1339 if (mbuff->boundary_next) efree(mbuff->boundary_next);
1340 if (mbuff->boundary) efree(mbuff->boundary);
1341 if (mbuff->buffer) efree(mbuff->buffer);
1342 if (mbuff) efree(mbuff);
1343}
1344/* }}} */
1345
1346// SAPI_API void php_rfc1867_set_multibyte_callbacks(
1347// php_rfc1867_encoding_translation_t encoding_translation,
1348// php_rfc1867_get_detect_order_t get_detect_order,
1349// php_rfc1867_set_input_encoding_t set_input_encoding,
1350// php_rfc1867_getword_t getword,
1351// php_rfc1867_getword_conf_t getword_conf,
1352// php_rfc1867_basename_t basename) /* {{{ */
1353// {
1354// php_rfc1867_encoding_translation = encoding_translation;
1355// php_rfc1867_get_detect_order = get_detect_order;
1356// php_rfc1867_set_input_encoding = set_input_encoding;
1357// php_rfc1867_getword = getword;
1358// php_rfc1867_getword_conf = getword_conf;
1359// php_rfc1867_basename = basename;
1360// }
1361/* }}} */
1362
1363/*
1364 * Local variables:
1365 * tab-width: 4
1366 * c-basic-offset: 4
1367 * End:
1368 * vim600: sw=4 ts=4 fdm=marker
1369 * vim<600: sw=4 ts=4
1370 */