This source file includes following definitions.
- dummy_encoding_translation
- php_rfc1867_register_constants
- normalize_protected_variable
- add_protected_variable
- is_protected_variable
- safe_php_register_variable
- safe_php_register_variable_ex
- register_http_post_files_variable
- register_http_post_files_variable_ex
- unlink_filename
- destroy_uploaded_files_hash
- fill_buffer
- multipart_buffer_eof
- multipart_buffer_new
- next_line
- get_line
- php_free_hdr_entry
- find_boundary
- multipart_buffer_headers
- php_mime_get_hdr_value
- php_ap_getword
- substring_conf
- php_ap_getword_conf
- php_ap_basename
- php_ap_memstr
- multipart_buffer_read
- multipart_buffer_read_body
- SAPI_POST_HANDLER_FUNC
- php_rfc1867_set_multibyte_callbacks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 #include <stdio.h>
29 #include "php.h"
30 #include "php_open_temporary_file.h"
31 #include "zend_globals.h"
32 #include "php_globals.h"
33 #include "php_variables.h"
34 #include "rfc1867.h"
35 #include "ext/standard/php_string.h"
36 #include "ext/standard/php_smart_str.h"
37
38 #if defined(PHP_WIN32) && !defined(HAVE_ATOLL)
39 # define atoll(s) _atoi64(s)
40 # define HAVE_ATOLL 1
41 #endif
42
43 #define DEBUG_FILE_UPLOAD ZEND_DEBUG
44
45 static int dummy_encoding_translation(TSRMLS_D)
46 {
47 return 0;
48 }
49
50 static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop TSRMLS_DC);
51 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str TSRMLS_DC);
52
53 static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
54 static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
55 static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
56 static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
57 static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
58 static php_rfc1867_basename_t php_rfc1867_basename = NULL;
59
60 PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra TSRMLS_DC) = NULL;
61
62 static void safe_php_register_variable(char *var, char *strval, int val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC);
63
64
65 #define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
66
67
68 #define MAX_SIZE_ANONNAME 33
69
70
71 #define UPLOAD_ERROR_OK 0
72 #define UPLOAD_ERROR_A 1
73 #define UPLOAD_ERROR_B 2
74 #define UPLOAD_ERROR_C 3
75 #define UPLOAD_ERROR_D 4
76 #define UPLOAD_ERROR_E 6
77 #define UPLOAD_ERROR_F 7
78 #define UPLOAD_ERROR_X 8
79
80 void php_rfc1867_register_constants(TSRMLS_D)
81 {
82 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK", UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT);
83 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE", UPLOAD_ERROR_A, CONST_CS | CONST_PERSISTENT);
84 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
85 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
86 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
87 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
88 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
89 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
90 }
91
92
93 static void normalize_protected_variable(char *varname TSRMLS_DC)
94 {
95 char *s = varname, *index = NULL, *indexend = NULL, *p;
96
97
98 while (*s == ' ') {
99 s++;
100 }
101
102
103 if (s != varname) {
104 memmove(varname, s, strlen(s)+1);
105 }
106
107 for (p = varname; *p && *p != '['; p++) {
108 switch(*p) {
109 case ' ':
110 case '.':
111 *p = '_';
112 break;
113 }
114 }
115
116
117 index = strchr(varname, '[');
118 if (index) {
119 index++;
120 s = index;
121 } else {
122 return;
123 }
124
125
126 while (index) {
127 while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
128 index++;
129 }
130 indexend = strchr(index, ']');
131 indexend = indexend ? indexend + 1 : index + strlen(index);
132
133 if (s != index) {
134 memmove(s, index, strlen(index)+1);
135 s += indexend-index;
136 } else {
137 s = indexend;
138 }
139
140 if (*s == '[') {
141 s++;
142 index = s;
143 } else {
144 index = NULL;
145 }
146 }
147 *s = '\0';
148 }
149
150
151 static void add_protected_variable(char *varname TSRMLS_DC)
152 {
153 int dummy = 1;
154
155 normalize_protected_variable(varname TSRMLS_CC);
156 zend_hash_add(&PG(rfc1867_protected_variables), varname, strlen(varname)+1, &dummy, sizeof(int), NULL);
157 }
158
159
160 static zend_bool is_protected_variable(char *varname TSRMLS_DC)
161 {
162 normalize_protected_variable(varname TSRMLS_CC);
163 return zend_hash_exists(&PG(rfc1867_protected_variables), varname, strlen(varname)+1);
164 }
165
166
167 static void safe_php_register_variable(char *var, char *strval, int val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC)
168 {
169 if (override_protection || !is_protected_variable(var TSRMLS_CC)) {
170 php_register_variable_safe(var, strval, val_len, track_vars_array TSRMLS_CC);
171 }
172 }
173
174
175 static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection TSRMLS_DC)
176 {
177 if (override_protection || !is_protected_variable(var TSRMLS_CC)) {
178 php_register_variable_ex(var, val, track_vars_array TSRMLS_CC);
179 }
180 }
181
182
183 static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC)
184 {
185 safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection TSRMLS_CC);
186 }
187
188
189 static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC)
190 {
191 safe_php_register_variable_ex(var, val, http_post_files, override_protection TSRMLS_CC);
192 }
193
194
195 static int unlink_filename(char **filename TSRMLS_DC)
196 {
197 VCWD_UNLINK(*filename);
198 return 0;
199 }
200
201
202 void destroy_uploaded_files_hash(TSRMLS_D)
203 {
204 zend_hash_apply(SG(rfc1867_uploaded_files), (apply_func_t) unlink_filename TSRMLS_CC);
205 zend_hash_destroy(SG(rfc1867_uploaded_files));
206 FREE_HASHTABLE(SG(rfc1867_uploaded_files));
207 }
208
209
210
211
212 #define FILLUNIT (1024 * 5)
213
214 typedef struct {
215
216
217 char *buffer;
218 char *buf_begin;
219 int bufsize;
220 int bytes_in_buffer;
221
222
223 char *boundary;
224 char *boundary_next;
225 int boundary_next_len;
226
227 const zend_encoding *input_encoding;
228 const zend_encoding **detect_order;
229 size_t detect_order_size;
230 } multipart_buffer;
231
232 typedef struct {
233 char *key;
234 char *value;
235 } mime_header_entry;
236
237
238
239
240
241 static int fill_buffer(multipart_buffer *self TSRMLS_DC)
242 {
243 int bytes_to_read, total_read = 0, actual_read = 0;
244
245
246 if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
247 memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
248 }
249
250 self->buf_begin = self->buffer;
251
252
253 bytes_to_read = self->bufsize - self->bytes_in_buffer;
254
255
256 while (bytes_to_read > 0) {
257
258 char *buf = self->buffer + self->bytes_in_buffer;
259
260 actual_read = sapi_module.read_post(buf, bytes_to_read TSRMLS_CC);
261
262
263 if (actual_read > 0) {
264 self->bytes_in_buffer += actual_read;
265 SG(read_post_bytes) += actual_read;
266 total_read += actual_read;
267 bytes_to_read -= actual_read;
268 } else {
269 break;
270 }
271 }
272
273 return total_read;
274 }
275
276
277 static int multipart_buffer_eof(multipart_buffer *self TSRMLS_DC)
278 {
279 if ( (self->bytes_in_buffer == 0 && fill_buffer(self TSRMLS_CC) < 1) ) {
280 return 1;
281 } else {
282 return 0;
283 }
284 }
285
286
287 static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len TSRMLS_DC)
288 {
289 multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
290
291 int minsize = boundary_len + 6;
292 if (minsize < FILLUNIT) minsize = FILLUNIT;
293
294 self->buffer = (char *) ecalloc(1, minsize + 1);
295 self->bufsize = minsize;
296
297 spprintf(&self->boundary, 0, "--%s", boundary);
298
299 self->boundary_next_len = spprintf(&self->boundary_next, 0, "\n--%s", boundary);
300
301 self->buf_begin = self->buffer;
302 self->bytes_in_buffer = 0;
303
304 if (php_rfc1867_encoding_translation(TSRMLS_C)) {
305 php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size TSRMLS_CC);
306 } else {
307 self->detect_order = NULL;
308 self->detect_order_size = 0;
309 }
310
311 self->input_encoding = NULL;
312
313 return self;
314 }
315
316
317
318
319
320
321
322
323
324
325
326
327 static char *next_line(multipart_buffer *self)
328 {
329
330 char* line = self->buf_begin;
331 char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
332
333 if (ptr) {
334
335
336 if ((ptr - line) > 0 && *(ptr-1) == '\r') {
337 *(ptr-1) = 0;
338 } else {
339 *ptr = 0;
340 }
341
342
343 self->buf_begin = ptr + 1;
344 self->bytes_in_buffer -= (self->buf_begin - line);
345
346 } else {
347
348
349 if (self->bytes_in_buffer < self->bufsize) {
350 return NULL;
351 }
352
353 line[self->bufsize] = 0;
354 self->buf_begin = ptr;
355 self->bytes_in_buffer = 0;
356 }
357
358 return line;
359 }
360
361
362 static char *get_line(multipart_buffer *self TSRMLS_DC)
363 {
364 char* ptr = next_line(self);
365
366 if (!ptr) {
367 fill_buffer(self TSRMLS_CC);
368 ptr = next_line(self);
369 }
370
371 return ptr;
372 }
373
374
375 static void php_free_hdr_entry(mime_header_entry *h)
376 {
377 if (h->key) {
378 efree(h->key);
379 }
380 if (h->value) {
381 efree(h->value);
382 }
383 }
384
385
386 static int find_boundary(multipart_buffer *self, char *boundary TSRMLS_DC)
387 {
388 char *line;
389
390
391 while( (line = get_line(self TSRMLS_CC)) )
392 {
393
394 if (!strcmp(line, boundary)) {
395 return 1;
396 }
397 }
398
399
400 return 0;
401 }
402
403
404 static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC)
405 {
406 char *line;
407 mime_header_entry entry = {0};
408 smart_str buf_value = {0};
409 char *key = NULL;
410
411
412 if (!find_boundary(self, self->boundary TSRMLS_CC)) {
413 return 0;
414 }
415
416
417
418 while( (line = get_line(self TSRMLS_CC)) && line[0] != '\0' )
419 {
420
421 char *value = NULL;
422
423 if (php_rfc1867_encoding_translation(TSRMLS_C)) {
424 self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
425 }
426
427
428 if (!isspace(line[0])) {
429 value = strchr(line, ':');
430 }
431
432 if (value) {
433 if(buf_value.c && key) {
434
435 smart_str_0(&buf_value);
436 entry.key = key;
437 entry.value = buf_value.c;
438 zend_llist_add_element(header, &entry);
439 buf_value.c = NULL;
440 key = NULL;
441 }
442
443 *value = '\0';
444 do { value++; } while(isspace(*value));
445
446 key = estrdup(line);
447 smart_str_appends(&buf_value, value);
448 } else if (buf_value.c) {
449 smart_str_appends(&buf_value, line);
450 } else {
451 continue;
452 }
453 }
454 if(buf_value.c && key) {
455
456 smart_str_0(&buf_value);
457 entry.key = key;
458 entry.value = buf_value.c;
459 zend_llist_add_element(header, &entry);
460 }
461
462 return 1;
463 }
464
465 static char *php_mime_get_hdr_value(zend_llist header, char *key)
466 {
467 mime_header_entry *entry;
468
469 if (key == NULL) {
470 return NULL;
471 }
472
473 entry = zend_llist_get_first(&header);
474 while (entry) {
475 if (!strcasecmp(entry->key, key)) {
476 return entry->value;
477 }
478 entry = zend_llist_get_next(&header);
479 }
480
481 return NULL;
482 }
483
484 static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop TSRMLS_DC)
485 {
486 char *pos = *line, quote;
487 char *res;
488
489 while (*pos && *pos != stop) {
490 if ((quote = *pos) == '"' || quote == '\'') {
491 ++pos;
492 while (*pos && *pos != quote) {
493 if (*pos == '\\' && pos[1] && pos[1] == quote) {
494 pos += 2;
495 } else {
496 ++pos;
497 }
498 }
499 if (*pos) {
500 ++pos;
501 }
502 } else ++pos;
503 }
504 if (*pos == '\0') {
505 res = estrdup(*line);
506 *line += strlen(*line);
507 return res;
508 }
509
510 res = estrndup(*line, pos - *line);
511
512 while (*pos == stop) {
513 ++pos;
514 }
515
516 *line = pos;
517 return res;
518 }
519
520 static char *substring_conf(char *start, int len, char quote)
521 {
522 char *result = emalloc(len + 1);
523 char *resp = result;
524 int i;
525
526 for (i = 0; i < len && start[i] != quote; ++i) {
527 if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
528 *resp++ = start[++i];
529 } else {
530 *resp++ = start[i];
531 }
532 }
533
534 *resp = '\0';
535 return result;
536 }
537
538 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str TSRMLS_DC)
539 {
540 while (*str && isspace(*str)) {
541 ++str;
542 }
543
544 if (!*str) {
545 return estrdup("");
546 }
547
548 if (*str == '"' || *str == '\'') {
549 char quote = *str;
550
551 str++;
552 return substring_conf(str, strlen(str), quote);
553 } else {
554 char *strend = str;
555
556 while (*strend && !isspace(*strend)) {
557 ++strend;
558 }
559 return substring_conf(str, strend - str, 0);
560 }
561 }
562
563 static char *php_ap_basename(const zend_encoding *encoding, char *path TSRMLS_DC)
564 {
565 char *s = strrchr(path, '\\');
566 char *s2 = strrchr(path, '/');
567
568 if (s && s2) {
569 if (s > s2) {
570 ++s;
571 } else {
572 s = ++s2;
573 }
574 return s;
575 } else if (s) {
576 return ++s;
577 } else if (s2) {
578 return ++s2;
579 }
580 return path;
581 }
582
583
584
585
586
587
588 static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
589 {
590 int len = haystacklen;
591 char *ptr = haystack;
592
593
594 while( (ptr = memchr(ptr, needle[0], len)) ) {
595
596
597 len = haystacklen - (ptr - (char *)haystack);
598
599
600 if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
601 break;
602 }
603
604
605 ptr++; len--;
606 }
607
608 return ptr;
609 }
610
611
612 static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
613 {
614 int len, max;
615 char *bound;
616
617
618 if (bytes > self->bytes_in_buffer) {
619 fill_buffer(self TSRMLS_CC);
620 }
621
622
623 if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
624 max = bound - self->buf_begin;
625 if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
626 *end = 1;
627 }
628 } else {
629 max = self->bytes_in_buffer;
630 }
631
632
633 len = max < bytes-1 ? max : bytes-1;
634
635
636 if (len > 0) {
637
638
639 memcpy(buf, self->buf_begin, len);
640 buf[len] = 0;
641
642 if (bound && len > 0 && buf[len-1] == '\r') {
643 buf[--len] = 0;
644 }
645
646
647 self->bytes_in_buffer -= len;
648 self->buf_begin += len;
649 }
650
651 return len;
652 }
653
654
655
656
657
658 static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC)
659 {
660 char buf[FILLUNIT], *out=NULL;
661 int total_bytes=0, read_bytes=0;
662
663 while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
664 out = erealloc(out, total_bytes + read_bytes + 1);
665 memcpy(out + total_bytes, buf, read_bytes);
666 total_bytes += read_bytes;
667 }
668
669 if (out) {
670 out[total_bytes] = '\0';
671 }
672 *len = total_bytes;
673
674 return out;
675 }
676
677
678
679
680
681
682
683 SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
684 {
685 char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
686 char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
687 int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
688 int64_t total_bytes = 0, max_file_size = 0;
689 int skip_upload = 0, anonindex = 0, is_anonymous;
690 zval *http_post_files = NULL;
691 HashTable *uploaded_files = NULL;
692 multipart_buffer *mbuff;
693 zval *array_ptr = (zval *) arg;
694 int fd = -1;
695 zend_llist header;
696 void *event_extra_data = NULL;
697 unsigned int llen = 0;
698 int upload_cnt = INI_INT("max_file_uploads");
699 const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(TSRMLS_C);
700 php_rfc1867_getword_t getword;
701 php_rfc1867_getword_conf_t getword_conf;
702 php_rfc1867_basename_t _basename;
703 long count = 0;
704
705 if (php_rfc1867_encoding_translation(TSRMLS_C) && internal_encoding) {
706 getword = php_rfc1867_getword;
707 getword_conf = php_rfc1867_getword_conf;
708 _basename = php_rfc1867_basename;
709 } else {
710 getword = php_ap_getword;
711 getword_conf = php_ap_getword_conf;
712 _basename = php_ap_basename;
713 }
714
715 if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
716 sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
717 return;
718 }
719
720
721 boundary = strstr(content_type_dup, "boundary");
722 if (!boundary) {
723 int content_type_len = strlen(content_type_dup);
724 char *content_type_lcase = estrndup(content_type_dup, content_type_len);
725
726 php_strtolower(content_type_lcase, content_type_len);
727 boundary = strstr(content_type_lcase, "boundary");
728 if (boundary) {
729 boundary = content_type_dup + (boundary - content_type_lcase);
730 }
731 efree(content_type_lcase);
732 }
733
734 if (!boundary || !(boundary = strchr(boundary, '='))) {
735 sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
736 return;
737 }
738
739 boundary++;
740 boundary_len = strlen(boundary);
741
742 if (boundary[0] == '"') {
743 boundary++;
744 boundary_end = strchr(boundary, '"');
745 if (!boundary_end) {
746 sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
747 return;
748 }
749 } else {
750
751 boundary_end = strpbrk(boundary, ",;");
752 }
753 if (boundary_end) {
754 boundary_end[0] = '\0';
755 boundary_len = boundary_end-boundary;
756 }
757
758
759 if (!(mbuff = multipart_buffer_new(boundary, boundary_len TSRMLS_CC))) {
760 sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
761 return;
762 }
763
764
765 zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0);
766
767 ALLOC_HASHTABLE(uploaded_files);
768 zend_hash_init(uploaded_files, 5, NULL, (dtor_func_t) free_estring, 0);
769 SG(rfc1867_uploaded_files) = uploaded_files;
770
771 ALLOC_ZVAL(http_post_files);
772 array_init(http_post_files);
773 INIT_PZVAL(http_post_files);
774 PG(http_globals)[TRACK_VARS_FILES] = http_post_files;
775
776 zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
777
778 if (php_rfc1867_callback != NULL) {
779 multipart_event_start event_start;
780
781 event_start.content_length = SG(request_info).content_length;
782 if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data TSRMLS_CC) == FAILURE) {
783 goto fileupload_done;
784 }
785 }
786
787 while (!multipart_buffer_eof(mbuff TSRMLS_CC))
788 {
789 char buff[FILLUNIT];
790 char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
791 size_t blen = 0, wlen = 0;
792 off_t offset;
793
794 zend_llist_clean(&header);
795
796 if (!multipart_buffer_headers(mbuff, &header TSRMLS_CC)) {
797 goto fileupload_done;
798 }
799
800 if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
801 char *pair = NULL;
802 int end = 0;
803
804 while (isspace(*cd)) {
805 ++cd;
806 }
807
808 while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';' TSRMLS_CC)))
809 {
810 char *key = NULL, *word = pair;
811
812 while (isspace(*cd)) {
813 ++cd;
814 }
815
816 if (strchr(pair, '=')) {
817 key = getword(mbuff->input_encoding, &pair, '=' TSRMLS_CC);
818
819 if (!strcasecmp(key, "name")) {
820 if (param) {
821 efree(param);
822 }
823 param = getword_conf(mbuff->input_encoding, pair TSRMLS_CC);
824 if (mbuff->input_encoding && internal_encoding) {
825 unsigned char *new_param;
826 size_t new_param_len;
827 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding TSRMLS_CC)) {
828 efree(param);
829 param = (char *)new_param;
830 }
831 }
832 } else if (!strcasecmp(key, "filename")) {
833 if (filename) {
834 efree(filename);
835 }
836 filename = getword_conf(mbuff->input_encoding, pair TSRMLS_CC);
837 if (mbuff->input_encoding && internal_encoding) {
838 unsigned char *new_filename;
839 size_t new_filename_len;
840 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding TSRMLS_CC)) {
841 efree(filename);
842 filename = (char *)new_filename;
843 }
844 }
845 }
846 }
847 if (key) {
848 efree(key);
849 }
850 efree(word);
851 }
852
853
854 if (!filename && param) {
855 unsigned int value_len;
856 char *value = multipart_buffer_read_body(mbuff, &value_len TSRMLS_CC);
857 unsigned int new_val_len;
858
859 if (!value) {
860 value = estrdup("");
861 value_len = 0;
862 }
863
864 if (mbuff->input_encoding && internal_encoding) {
865 unsigned char *new_value;
866 size_t new_value_len;
867 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding TSRMLS_CC)) {
868 efree(value);
869 value = (char *)new_value;
870 value_len = new_value_len;
871 }
872 }
873
874 if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
875 if (php_rfc1867_callback != NULL) {
876 multipart_event_formdata event_formdata;
877 size_t newlength = new_val_len;
878
879 event_formdata.post_bytes_processed = SG(read_post_bytes);
880 event_formdata.name = param;
881 event_formdata.value = &value;
882 event_formdata.length = new_val_len;
883 event_formdata.newlength = &newlength;
884 if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC) == FAILURE) {
885 efree(param);
886 efree(value);
887 continue;
888 }
889 new_val_len = newlength;
890 }
891 safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC);
892 } else {
893 if (count == PG(max_input_vars) + 1) {
894 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
895 }
896
897 if (php_rfc1867_callback != NULL) {
898 multipart_event_formdata event_formdata;
899
900 event_formdata.post_bytes_processed = SG(read_post_bytes);
901 event_formdata.name = param;
902 event_formdata.value = &value;
903 event_formdata.length = value_len;
904 event_formdata.newlength = NULL;
905 php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
906 }
907 }
908
909 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
910 #ifdef HAVE_ATOLL
911 max_file_size = atoll(value);
912 #else
913 max_file_size = strtoll(value, NULL, 10);
914 #endif
915 }
916
917 efree(param);
918 efree(value);
919 continue;
920 }
921
922
923 if (!PG(file_uploads)) {
924 skip_upload = 1;
925 } else if (upload_cnt <= 0) {
926 skip_upload = 1;
927 sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
928 }
929
930
931 if (!param && !filename) {
932 sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
933 goto fileupload_done;
934 }
935
936 if (!param) {
937 is_anonymous = 1;
938 param = emalloc(MAX_SIZE_ANONNAME);
939 snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
940 } else {
941 is_anonymous = 0;
942 }
943
944
945 if (!skip_upload) {
946 long c = 0;
947 tmp = param;
948
949 while (*tmp) {
950 if (*tmp == '[') {
951 c++;
952 } else if (*tmp == ']') {
953 c--;
954 if (tmp[1] && tmp[1] != '[') {
955 skip_upload = 1;
956 break;
957 }
958 }
959 if (c < 0) {
960 skip_upload = 1;
961 break;
962 }
963 tmp++;
964 }
965
966 if(c != 0) {
967 skip_upload = 1;
968 }
969 }
970
971 total_bytes = cancel_upload = 0;
972 temp_filename = NULL;
973 fd = -1;
974
975 if (!skip_upload && php_rfc1867_callback != NULL) {
976 multipart_event_file_start event_file_start;
977
978 event_file_start.post_bytes_processed = SG(read_post_bytes);
979 event_file_start.name = param;
980 event_file_start.filename = &filename;
981 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data TSRMLS_CC) == FAILURE) {
982 temp_filename = "";
983 efree(param);
984 efree(filename);
985 continue;
986 }
987 }
988
989 if (skip_upload) {
990 efree(param);
991 efree(filename);
992 continue;
993 }
994
995 if (filename[0] == '\0') {
996 #if DEBUG_FILE_UPLOAD
997 sapi_module.sapi_error(E_NOTICE, "No file uploaded");
998 #endif
999 cancel_upload = UPLOAD_ERROR_D;
1000 }
1001
1002 offset = 0;
1003 end = 0;
1004
1005 if (!cancel_upload) {
1006
1007 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
1008 #if DEBUG_FILE_UPLOAD
1009 if (blen > 0) {
1010 #else
1011
1012 {
1013 #endif
1014 fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
1015 upload_cnt--;
1016 if (fd == -1) {
1017 sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1018 cancel_upload = UPLOAD_ERROR_E;
1019 }
1020 }
1021 }
1022
1023 while (!cancel_upload && (blen > 0))
1024 {
1025 if (php_rfc1867_callback != NULL) {
1026 multipart_event_file_data event_file_data;
1027
1028 event_file_data.post_bytes_processed = SG(read_post_bytes);
1029 event_file_data.offset = offset;
1030 event_file_data.data = buff;
1031 event_file_data.length = blen;
1032 event_file_data.newlength = &blen;
1033 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data TSRMLS_CC) == FAILURE) {
1034 cancel_upload = UPLOAD_ERROR_X;
1035 continue;
1036 }
1037 }
1038
1039 if (PG(upload_max_filesize) > 0 && (long)(total_bytes+blen) > PG(upload_max_filesize)) {
1040 #if DEBUG_FILE_UPLOAD
1041 sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1042 #endif
1043 cancel_upload = UPLOAD_ERROR_A;
1044 } else if (max_file_size && ((long)(total_bytes+blen) > max_file_size)) {
1045 #if DEBUG_FILE_UPLOAD
1046 sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1047 #endif
1048 cancel_upload = UPLOAD_ERROR_B;
1049 } else if (blen > 0) {
1050 wlen = write(fd, buff, blen);
1051
1052 if (wlen == -1) {
1053
1054 #if DEBUG_FILE_UPLOAD
1055 sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1056 #endif
1057 cancel_upload = UPLOAD_ERROR_F;
1058 } else if (wlen < blen) {
1059 #if DEBUG_FILE_UPLOAD
1060 sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
1061 #endif
1062 cancel_upload = UPLOAD_ERROR_F;
1063 } else {
1064 total_bytes += wlen;
1065 }
1066 offset += wlen;
1067 }
1068
1069
1070 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
1071 }
1072
1073 if (fd != -1) {
1074 close(fd);
1075 }
1076
1077 if (!cancel_upload && !end) {
1078 #if DEBUG_FILE_UPLOAD
1079 sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1080 #endif
1081 cancel_upload = UPLOAD_ERROR_C;
1082 }
1083 #if DEBUG_FILE_UPLOAD
1084 if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1085 sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1086 cancel_upload = 5;
1087 }
1088 #endif
1089 if (php_rfc1867_callback != NULL) {
1090 multipart_event_file_end event_file_end;
1091
1092 event_file_end.post_bytes_processed = SG(read_post_bytes);
1093 event_file_end.temp_filename = temp_filename;
1094 event_file_end.cancel_upload = cancel_upload;
1095 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data TSRMLS_CC) == FAILURE) {
1096 cancel_upload = UPLOAD_ERROR_X;
1097 }
1098 }
1099
1100 if (cancel_upload) {
1101 if (temp_filename) {
1102 if (cancel_upload != UPLOAD_ERROR_E) {
1103 unlink(temp_filename);
1104 }
1105 efree(temp_filename);
1106 }
1107 temp_filename = "";
1108 } else {
1109 zend_hash_add(SG(rfc1867_uploaded_files), temp_filename, strlen(temp_filename) + 1, &temp_filename, sizeof(char *), NULL);
1110 }
1111
1112
1113
1114
1115 is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1116
1117 if (is_arr_upload) {
1118 array_len = strlen(start_arr);
1119 if (array_index) {
1120 efree(array_index);
1121 }
1122 array_index = estrndup(start_arr + 1, array_len - 2);
1123 }
1124
1125
1126 if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1127 llen = strlen(param);
1128 lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1129 llen += MAX_SIZE_OF_INDEX + 1;
1130 }
1131
1132 if (is_arr_upload) {
1133 if (abuf) efree(abuf);
1134 abuf = estrndup(param, strlen(param)-array_len);
1135 snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1136 } else {
1137 snprintf(lbuf, llen, "%s_name", param);
1138 }
1139
1140
1141
1142
1143
1144
1145 s = _basename(internal_encoding, filename TSRMLS_CC);
1146 if (!s) {
1147 s = filename;
1148 }
1149
1150 if (!is_anonymous) {
1151 safe_php_register_variable(lbuf, s, strlen(s), NULL, 0 TSRMLS_CC);
1152 }
1153
1154
1155 if (is_arr_upload) {
1156 snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1157 } else {
1158 snprintf(lbuf, llen, "%s[name]", param);
1159 }
1160 register_http_post_files_variable(lbuf, s, http_post_files, 0 TSRMLS_CC);
1161 efree(filename);
1162 s = NULL;
1163
1164
1165 if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1166 cd = "";
1167 } else {
1168
1169 s = strchr(cd, ';');
1170 if (s != NULL) {
1171 *s = '\0';
1172 }
1173 }
1174
1175
1176 if (is_arr_upload) {
1177 snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index);
1178 } else {
1179 snprintf(lbuf, llen, "%s_type", param);
1180 }
1181 if (!is_anonymous) {
1182 safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0 TSRMLS_CC);
1183 }
1184
1185
1186 if (is_arr_upload) {
1187 snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1188 } else {
1189 snprintf(lbuf, llen, "%s[type]", param);
1190 }
1191 register_http_post_files_variable(lbuf, cd, http_post_files, 0 TSRMLS_CC);
1192
1193
1194 if (s != NULL) {
1195 *s = ';';
1196 }
1197 s = "";
1198
1199 {
1200
1201
1202 zval zfilename;
1203
1204
1205 add_protected_variable(param TSRMLS_CC);
1206
1207
1208 if (!is_anonymous) {
1209 ZVAL_STRING(&zfilename, temp_filename, 1);
1210 safe_php_register_variable_ex(param, &zfilename, NULL, 1 TSRMLS_CC);
1211 }
1212
1213
1214 if (is_arr_upload) {
1215 snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1216 } else {
1217 snprintf(lbuf, llen, "%s[tmp_name]", param);
1218 }
1219 add_protected_variable(lbuf TSRMLS_CC);
1220 ZVAL_STRING(&zfilename, temp_filename, 1);
1221 register_http_post_files_variable_ex(lbuf, &zfilename, http_post_files, 1 TSRMLS_CC);
1222 }
1223
1224 {
1225 zval file_size, error_type;
1226 int size_overflow = 0;
1227 char file_size_buf[65];
1228
1229 ZVAL_LONG(&error_type, cancel_upload);
1230
1231
1232 if (cancel_upload) {
1233 ZVAL_LONG(&file_size, 0);
1234 } else {
1235 if (total_bytes > LONG_MAX) {
1236 #ifdef PHP_WIN32
1237 if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1238 file_size_buf[0] = '0';
1239 file_size_buf[1] = '\0';
1240 }
1241 #else
1242 {
1243 int __len = snprintf(file_size_buf, 65, "%lld", total_bytes);
1244 file_size_buf[__len] = '\0';
1245 }
1246 #endif
1247 size_overflow = 1;
1248
1249 } else {
1250 ZVAL_LONG(&file_size, total_bytes);
1251 }
1252 }
1253
1254 if (is_arr_upload) {
1255 snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1256 } else {
1257 snprintf(lbuf, llen, "%s[error]", param);
1258 }
1259 register_http_post_files_variable_ex(lbuf, &error_type, http_post_files, 0 TSRMLS_CC);
1260
1261
1262 if (is_arr_upload) {
1263 snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index);
1264 } else {
1265 snprintf(lbuf, llen, "%s_size", param);
1266 }
1267 if (!is_anonymous) {
1268 if (size_overflow) {
1269 ZVAL_STRING(&file_size, file_size_buf, 1);
1270 }
1271 safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow TSRMLS_CC);
1272 }
1273
1274
1275 if (is_arr_upload) {
1276 snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1277 } else {
1278 snprintf(lbuf, llen, "%s[size]", param);
1279 }
1280 if (size_overflow) {
1281 ZVAL_STRING(&file_size, file_size_buf, 1);
1282 }
1283 register_http_post_files_variable_ex(lbuf, &file_size, http_post_files, size_overflow TSRMLS_CC);
1284 }
1285 efree(param);
1286 }
1287 }
1288
1289 fileupload_done:
1290 if (php_rfc1867_callback != NULL) {
1291 multipart_event_end event_end;
1292
1293 event_end.post_bytes_processed = SG(read_post_bytes);
1294 php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data TSRMLS_CC);
1295 }
1296
1297 if (lbuf) efree(lbuf);
1298 if (abuf) efree(abuf);
1299 if (array_index) efree(array_index);
1300 zend_hash_destroy(&PG(rfc1867_protected_variables));
1301 zend_llist_destroy(&header);
1302 if (mbuff->boundary_next) efree(mbuff->boundary_next);
1303 if (mbuff->boundary) efree(mbuff->boundary);
1304 if (mbuff->buffer) efree(mbuff->buffer);
1305 if (mbuff) efree(mbuff);
1306 }
1307
1308
1309 SAPI_API void php_rfc1867_set_multibyte_callbacks(
1310 php_rfc1867_encoding_translation_t encoding_translation,
1311 php_rfc1867_get_detect_order_t get_detect_order,
1312 php_rfc1867_set_input_encoding_t set_input_encoding,
1313 php_rfc1867_getword_t getword,
1314 php_rfc1867_getword_conf_t getword_conf,
1315 php_rfc1867_basename_t basename)
1316 {
1317 php_rfc1867_encoding_translation = encoding_translation;
1318 php_rfc1867_get_detect_order = get_detect_order;
1319 php_rfc1867_set_input_encoding = set_input_encoding;
1320 php_rfc1867_getword = getword;
1321 php_rfc1867_getword_conf = getword_conf;
1322 php_rfc1867_basename = basename;
1323 }
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333