1 /*
2 +----------------------------------------------------------------------+
3 | PHP Version 7 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 1997-2018 The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Authors: Rasmus Lerdorf <rasmus@php.net> |
16 | Jani Taskinen <jani@php.net> |
17 +----------------------------------------------------------------------+
18 */
19
20 /* $Id$ */
21
22 /*
23 * This product includes software developed by the Apache Group
24 * for use in the Apache HTTP server project (http://www.apache.org/).
25 *
26 */
27
28 #include <stdio.h>
29 #include "php.h"
30 #include "php_open_temporary_file.h"
31 #include "zend_globals.h"
32 #include "php_globals.h"
33 #include "php_variables.h"
34 #include "rfc1867.h"
35 #include "ext/standard/php_string.h"
36 #include "zend_smart_string.h"
37
38 #if defined(PHP_WIN32) && !defined(HAVE_ATOLL)
39 # define atoll(s) _atoi64(s)
40 # define HAVE_ATOLL 1
41 #endif
42
43 #ifndef DEBUG_FILE_UPLOAD
44 # define DEBUG_FILE_UPLOAD 0
45 #endif
46
dummy_encoding_translation(void)47 static int dummy_encoding_translation(void)
48 {
49 return 0;
50 }
51
52 static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop);
53 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str);
54
55 static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
56 static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
57 static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
58 static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
59 static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
60 static php_rfc1867_basename_t php_rfc1867_basename = NULL;
61
62 PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
63
64 static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection);
65
66 /* The longest property name we use in an uploaded file array */
67 #define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
68
69 /* The longest anonymous name */
70 #define MAX_SIZE_ANONNAME 33
71
72 /* Errors */
73 #define UPLOAD_ERROR_OK 0 /* File upload successful */
74 #define UPLOAD_ERROR_A 1 /* Uploaded file exceeded upload_max_filesize */
75 #define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
76 #define UPLOAD_ERROR_C 3 /* Partially uploaded */
77 #define UPLOAD_ERROR_D 4 /* No file uploaded */
78 #define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
79 #define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
80 #define UPLOAD_ERROR_X 8 /* File upload stopped by extension */
81
php_rfc1867_register_constants(void)82 void php_rfc1867_register_constants(void) /* {{{ */
83 {
84 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK", UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT);
85 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE", UPLOAD_ERROR_A, CONST_CS | CONST_PERSISTENT);
86 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
87 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
88 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
89 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
90 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
91 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
92 }
93 /* }}} */
94
normalize_protected_variable(char * varname)95 static void normalize_protected_variable(char *varname) /* {{{ */
96 {
97 char *s = varname, *index = NULL, *indexend = NULL, *p;
98
99 /* overjump leading space */
100 while (*s == ' ') {
101 s++;
102 }
103
104 /* and remove it */
105 if (s != varname) {
106 memmove(varname, s, strlen(s)+1);
107 }
108
109 for (p = varname; *p && *p != '['; p++) {
110 switch(*p) {
111 case ' ':
112 case '.':
113 *p = '_';
114 break;
115 }
116 }
117
118 /* find index */
119 index = strchr(varname, '[');
120 if (index) {
121 index++;
122 s = index;
123 } else {
124 return;
125 }
126
127 /* done? */
128 while (index) {
129 while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
130 index++;
131 }
132 indexend = strchr(index, ']');
133 indexend = indexend ? indexend + 1 : index + strlen(index);
134
135 if (s != index) {
136 memmove(s, index, strlen(index)+1);
137 s += indexend-index;
138 } else {
139 s = indexend;
140 }
141
142 if (*s == '[') {
143 s++;
144 index = s;
145 } else {
146 index = NULL;
147 }
148 }
149 *s = '\0';
150 }
151 /* }}} */
152
add_protected_variable(char * varname)153 static void add_protected_variable(char *varname) /* {{{ */
154 {
155 normalize_protected_variable(varname);
156 zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname));
157 }
158 /* }}} */
159
is_protected_variable(char * varname)160 static zend_bool is_protected_variable(char *varname) /* {{{ */
161 {
162 normalize_protected_variable(varname);
163 return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname));
164 }
165 /* }}} */
166
safe_php_register_variable(char * var,char * strval,size_t val_len,zval * track_vars_array,zend_bool override_protection)167 static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection) /* {{{ */
168 {
169 if (override_protection || !is_protected_variable(var)) {
170 php_register_variable_safe(var, strval, val_len, track_vars_array);
171 }
172 }
173 /* }}} */
174
safe_php_register_variable_ex(char * var,zval * val,zval * track_vars_array,zend_bool override_protection)175 static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection) /* {{{ */
176 {
177 if (override_protection || !is_protected_variable(var)) {
178 php_register_variable_ex(var, val, track_vars_array);
179 }
180 }
181 /* }}} */
182
register_http_post_files_variable(char * strvar,char * val,zval * http_post_files,zend_bool override_protection)183 static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
184 {
185 safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection);
186 }
187 /* }}} */
188
register_http_post_files_variable_ex(char * var,zval * val,zval * http_post_files,zend_bool override_protection)189 static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
190 {
191 safe_php_register_variable_ex(var, val, http_post_files, override_protection);
192 }
193 /* }}} */
194
unlink_filename(zval * el)195 static int unlink_filename(zval *el) /* {{{ */
196 {
197 zend_string *filename = Z_STR_P(el);
198 VCWD_UNLINK(ZSTR_VAL(filename));
199 return 0;
200 }
201 /* }}} */
202
203
free_filename(zval * el)204 static void free_filename(zval *el) {
205 zend_string *filename = Z_STR_P(el);
206 zend_string_release(filename);
207 }
208
destroy_uploaded_files_hash(void)209 PHPAPI void destroy_uploaded_files_hash(void) /* {{{ */
210 {
211 zend_hash_apply(SG(rfc1867_uploaded_files), unlink_filename);
212 zend_hash_destroy(SG(rfc1867_uploaded_files));
213 FREE_HASHTABLE(SG(rfc1867_uploaded_files));
214 }
215 /* }}} */
216
217 /* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
218
219 #define FILLUNIT (1024 * 5)
220
221 typedef struct {
222
223 /* read buffer */
224 char *buffer;
225 char *buf_begin;
226 int bufsize;
227 int bytes_in_buffer;
228
229 /* boundary info */
230 char *boundary;
231 char *boundary_next;
232 int boundary_next_len;
233
234 const zend_encoding *input_encoding;
235 const zend_encoding **detect_order;
236 size_t detect_order_size;
237 } multipart_buffer;
238
239 typedef struct {
240 char *key;
241 char *value;
242 } mime_header_entry;
243
244 /*
245 * Fill up the buffer with client data.
246 * Returns number of bytes added to buffer.
247 */
fill_buffer(multipart_buffer * self)248 static int fill_buffer(multipart_buffer *self)
249 {
250 int bytes_to_read, total_read = 0, actual_read = 0;
251
252 /* shift the existing data if necessary */
253 if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
254 memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
255 }
256
257 self->buf_begin = self->buffer;
258
259 /* calculate the free space in the buffer */
260 bytes_to_read = self->bufsize - self->bytes_in_buffer;
261
262 /* read the required number of bytes */
263 while (bytes_to_read > 0) {
264
265 char *buf = self->buffer + self->bytes_in_buffer;
266
267 actual_read = (int)sapi_module.read_post(buf, bytes_to_read);
268
269 /* update the buffer length */
270 if (actual_read > 0) {
271 self->bytes_in_buffer += actual_read;
272 SG(read_post_bytes) += actual_read;
273 total_read += actual_read;
274 bytes_to_read -= actual_read;
275 } else {
276 break;
277 }
278 }
279
280 return total_read;
281 }
282
283 /* eof if we are out of bytes, or if we hit the final boundary */
multipart_buffer_eof(multipart_buffer * self)284 static int multipart_buffer_eof(multipart_buffer *self)
285 {
286 if ( (self->bytes_in_buffer == 0 && fill_buffer(self) < 1) ) {
287 return 1;
288 } else {
289 return 0;
290 }
291 }
292
293 /* create new multipart_buffer structure */
multipart_buffer_new(char * boundary,int boundary_len)294 static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len)
295 {
296 multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
297
298 int minsize = boundary_len + 6;
299 if (minsize < FILLUNIT) minsize = FILLUNIT;
300
301 self->buffer = (char *) ecalloc(1, minsize + 1);
302 self->bufsize = minsize;
303
304 spprintf(&self->boundary, 0, "--%s", boundary);
305
306 self->boundary_next_len = (int)spprintf(&self->boundary_next, 0, "\n--%s", boundary);
307
308 self->buf_begin = self->buffer;
309 self->bytes_in_buffer = 0;
310
311 if (php_rfc1867_encoding_translation()) {
312 php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size);
313 } else {
314 self->detect_order = NULL;
315 self->detect_order_size = 0;
316 }
317
318 self->input_encoding = NULL;
319
320 return self;
321 }
322
323 /*
324 * Gets the next CRLF terminated line from the input buffer.
325 * If it doesn't find a CRLF, and the buffer isn't completely full, returns
326 * NULL; otherwise, returns the beginning of the null-terminated line,
327 * minus the CRLF.
328 *
329 * Note that we really just look for LF terminated lines. This works
330 * around a bug in internet explorer for the macintosh which sends mime
331 * boundaries that are only LF terminated when you use an image submit
332 * button in a multipart/form-data form.
333 */
next_line(multipart_buffer * self)334 static char *next_line(multipart_buffer *self)
335 {
336 /* look for LF in the data */
337 char* line = self->buf_begin;
338 char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
339
340 if (ptr) { /* LF found */
341
342 /* terminate the string, remove CRLF */
343 if ((ptr - line) > 0 && *(ptr-1) == '\r') {
344 *(ptr-1) = 0;
345 } else {
346 *ptr = 0;
347 }
348
349 /* bump the pointer */
350 self->buf_begin = ptr + 1;
351 self->bytes_in_buffer -= (self->buf_begin - line);
352
353 } else { /* no LF found */
354
355 /* buffer isn't completely full, fail */
356 if (self->bytes_in_buffer < self->bufsize) {
357 return NULL;
358 }
359 /* return entire buffer as a partial line */
360 line[self->bufsize] = 0;
361 self->buf_begin = ptr;
362 self->bytes_in_buffer = 0;
363 }
364
365 return line;
366 }
367
368 /* Returns the next CRLF terminated line from the client */
get_line(multipart_buffer * self)369 static char *get_line(multipart_buffer *self)
370 {
371 char* ptr = next_line(self);
372
373 if (!ptr) {
374 fill_buffer(self);
375 ptr = next_line(self);
376 }
377
378 return ptr;
379 }
380
381 /* Free header entry */
php_free_hdr_entry(mime_header_entry * h)382 static void php_free_hdr_entry(mime_header_entry *h)
383 {
384 if (h->key) {
385 efree(h->key);
386 }
387 if (h->value) {
388 efree(h->value);
389 }
390 }
391
392 /* finds a boundary */
find_boundary(multipart_buffer * self,char * boundary)393 static int find_boundary(multipart_buffer *self, char *boundary)
394 {
395 char *line;
396
397 /* loop thru lines */
398 while( (line = get_line(self)) )
399 {
400 /* finished if we found the boundary */
401 if (!strcmp(line, boundary)) {
402 return 1;
403 }
404 }
405
406 /* didn't find the boundary */
407 return 0;
408 }
409
410 /* parse headers */
multipart_buffer_headers(multipart_buffer * self,zend_llist * header)411 static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
412 {
413 char *line;
414 mime_header_entry entry = {0};
415 smart_string buf_value = {0};
416 char *key = NULL;
417
418 /* didn't find boundary, abort */
419 if (!find_boundary(self, self->boundary)) {
420 return 0;
421 }
422
423 /* get lines of text, or CRLF_CRLF */
424
425 while ((line = get_line(self)) && line[0] != '\0') {
426 /* add header to table */
427 char *value = NULL;
428
429 if (php_rfc1867_encoding_translation()) {
430 self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);
431 }
432
433 /* space in the beginning means same header */
434 if (!isspace(line[0])) {
435 value = strchr(line, ':');
436 }
437
438 if (value) {
439 if (buf_value.c && key) {
440 /* new entry, add the old one to the list */
441 smart_string_0(&buf_value);
442 entry.key = key;
443 entry.value = buf_value.c;
444 zend_llist_add_element(header, &entry);
445 buf_value.c = NULL;
446 key = NULL;
447 }
448
449 *value = '\0';
450 do { value++; } while (isspace(*value));
451
452 key = estrdup(line);
453 smart_string_appends(&buf_value, value);
454 } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
455 smart_string_appends(&buf_value, line);
456 } else {
457 continue;
458 }
459 }
460
461 if (buf_value.c && key) {
462 /* add the last one to the list */
463 smart_string_0(&buf_value);
464 entry.key = key;
465 entry.value = buf_value.c;
466 zend_llist_add_element(header, &entry);
467 }
468
469 return 1;
470 }
471
php_mime_get_hdr_value(zend_llist header,char * key)472 static char *php_mime_get_hdr_value(zend_llist header, char *key)
473 {
474 mime_header_entry *entry;
475
476 if (key == NULL) {
477 return NULL;
478 }
479
480 entry = zend_llist_get_first(&header);
481 while (entry) {
482 if (!strcasecmp(entry->key, key)) {
483 return entry->value;
484 }
485 entry = zend_llist_get_next(&header);
486 }
487
488 return NULL;
489 }
490
php_ap_getword(const zend_encoding * encoding,char ** line,char stop)491 static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop)
492 {
493 char *pos = *line, quote;
494 char *res;
495
496 while (*pos && *pos != stop) {
497 if ((quote = *pos) == '"' || quote == '\'') {
498 ++pos;
499 while (*pos && *pos != quote) {
500 if (*pos == '\\' && pos[1] && pos[1] == quote) {
501 pos += 2;
502 } else {
503 ++pos;
504 }
505 }
506 if (*pos) {
507 ++pos;
508 }
509 } else ++pos;
510 }
511 if (*pos == '\0') {
512 res = estrdup(*line);
513 *line += strlen(*line);
514 return res;
515 }
516
517 res = estrndup(*line, pos - *line);
518
519 while (*pos == stop) {
520 ++pos;
521 }
522
523 *line = pos;
524 return res;
525 }
526
substring_conf(char * start,int len,char quote)527 static char *substring_conf(char *start, int len, char quote)
528 {
529 char *result = emalloc(len + 1);
530 char *resp = result;
531 int i;
532
533 for (i = 0; i < len && start[i] != quote; ++i) {
534 if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
535 *resp++ = start[++i];
536 } else {
537 *resp++ = start[i];
538 }
539 }
540
541 *resp = '\0';
542 return result;
543 }
544
php_ap_getword_conf(const zend_encoding * encoding,char * str)545 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
546 {
547 while (*str && isspace(*str)) {
548 ++str;
549 }
550
551 if (!*str) {
552 return estrdup("");
553 }
554
555 if (*str == '"' || *str == '\'') {
556 char quote = *str;
557
558 str++;
559 return substring_conf(str, (int)strlen(str), quote);
560 } else {
561 char *strend = str;
562
563 while (*strend && !isspace(*strend)) {
564 ++strend;
565 }
566 return substring_conf(str, strend - str, 0);
567 }
568 }
569
php_ap_basename(const zend_encoding * encoding,char * path)570 static char *php_ap_basename(const zend_encoding *encoding, char *path)
571 {
572 char *s = strrchr(path, '\\');
573 char *s2 = strrchr(path, '/');
574
575 if (s && s2) {
576 if (s > s2) {
577 ++s;
578 } else {
579 s = ++s2;
580 }
581 return s;
582 } else if (s) {
583 return ++s;
584 } else if (s2) {
585 return ++s2;
586 }
587 return path;
588 }
589
590 /*
591 * Search for a string in a fixed-length byte string.
592 * If partial is true, partial matches are allowed at the end of the buffer.
593 * Returns NULL if not found, or a pointer to the start of the first match.
594 */
php_ap_memstr(char * haystack,int haystacklen,char * needle,int needlen,int partial)595 static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
596 {
597 int len = haystacklen;
598 char *ptr = haystack;
599
600 /* iterate through first character matches */
601 while( (ptr = memchr(ptr, needle[0], len)) ) {
602
603 /* calculate length after match */
604 len = haystacklen - (ptr - (char *)haystack);
605
606 /* done if matches up to capacity of buffer */
607 if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
608 break;
609 }
610
611 /* next character */
612 ptr++; len--;
613 }
614
615 return ptr;
616 }
617
618 /* read until a boundary condition */
multipart_buffer_read(multipart_buffer * self,char * buf,size_t bytes,int * end)619 static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
620 {
621 size_t len, max;
622 char *bound;
623
624 /* fill buffer if needed */
625 if (bytes > (size_t)self->bytes_in_buffer) {
626 fill_buffer(self);
627 }
628
629 /* look for a potential boundary match, only read data up to that point */
630 if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
631 max = bound - self->buf_begin;
632 if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
633 *end = 1;
634 }
635 } else {
636 max = self->bytes_in_buffer;
637 }
638
639 /* maximum number of bytes we are reading */
640 len = max < bytes-1 ? max : bytes-1;
641
642 /* if we read any data... */
643 if (len > 0) {
644
645 /* copy the data */
646 memcpy(buf, self->buf_begin, len);
647 buf[len] = 0;
648
649 if (bound && len > 0 && buf[len-1] == '\r') {
650 buf[--len] = 0;
651 }
652
653 /* update the buffer */
654 self->bytes_in_buffer -= (int)len;
655 self->buf_begin += len;
656 }
657
658 return len;
659 }
660
661 /*
662 XXX: this is horrible memory-usage-wise, but we only expect
663 to do this on small pieces of form data.
664 */
multipart_buffer_read_body(multipart_buffer * self,size_t * len)665 static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
666 {
667 char buf[FILLUNIT], *out=NULL;
668 size_t total_bytes=0, read_bytes=0;
669
670 while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
671 out = erealloc(out, total_bytes + read_bytes + 1);
672 memcpy(out + total_bytes, buf, read_bytes);
673 total_bytes += read_bytes;
674 }
675
676 if (out) {
677 out[total_bytes] = '\0';
678 }
679 *len = total_bytes;
680
681 return out;
682 }
683 /* }}} */
684
685 /*
686 * The combined READER/HANDLER
687 *
688 */
689
SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)690 SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
691 {
692 char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
693 char *lbuf = NULL, *abuf = NULL;
694 zend_string *temp_filename = NULL;
695 int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
696 size_t array_len = 0;
697 int64_t total_bytes = 0, max_file_size = 0;
698 int skip_upload = 0, anonindex = 0, is_anonymous;
699 HashTable *uploaded_files = NULL;
700 multipart_buffer *mbuff;
701 zval *array_ptr = (zval *) arg;
702 int fd = -1;
703 zend_llist header;
704 void *event_extra_data = NULL;
705 unsigned int llen = 0;
706 int upload_cnt = INI_INT("max_file_uploads");
707 const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
708 php_rfc1867_getword_t getword;
709 php_rfc1867_getword_conf_t getword_conf;
710 php_rfc1867_basename_t _basename;
711 zend_long count = 0;
712
713 if (php_rfc1867_encoding_translation() && internal_encoding) {
714 getword = php_rfc1867_getword;
715 getword_conf = php_rfc1867_getword_conf;
716 _basename = php_rfc1867_basename;
717 } else {
718 getword = php_ap_getword;
719 getword_conf = php_ap_getword_conf;
720 _basename = php_ap_basename;
721 }
722
723 if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
724 sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size));
725 return;
726 }
727
728 /* Get the boundary */
729 boundary = strstr(content_type_dup, "boundary");
730 if (!boundary) {
731 int content_type_len = (int)strlen(content_type_dup);
732 char *content_type_lcase = estrndup(content_type_dup, content_type_len);
733
734 php_strtolower(content_type_lcase, content_type_len);
735 boundary = strstr(content_type_lcase, "boundary");
736 if (boundary) {
737 boundary = content_type_dup + (boundary - content_type_lcase);
738 }
739 efree(content_type_lcase);
740 }
741
742 if (!boundary || !(boundary = strchr(boundary, '='))) {
743 sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
744 return;
745 }
746
747 boundary++;
748 boundary_len = (int)strlen(boundary);
749
750 if (boundary[0] == '"') {
751 boundary++;
752 boundary_end = strchr(boundary, '"');
753 if (!boundary_end) {
754 sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
755 return;
756 }
757 } else {
758 /* search for the end of the boundary */
759 boundary_end = strpbrk(boundary, ",;");
760 }
761 if (boundary_end) {
762 boundary_end[0] = '\0';
763 boundary_len = boundary_end-boundary;
764 }
765
766 /* Initialize the buffer */
767 if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
768 sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
769 return;
770 }
771
772 /* Initialize $_FILES[] */
773 zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);
774
775 ALLOC_HASHTABLE(uploaded_files);
776 zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
777 SG(rfc1867_uploaded_files) = uploaded_files;
778
779 if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) {
780 /* php_auto_globals_create_files() might have already done that */
781 array_init(&PG(http_globals)[TRACK_VARS_FILES]);
782 }
783
784 zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
785
786 if (php_rfc1867_callback != NULL) {
787 multipart_event_start event_start;
788
789 event_start.content_length = SG(request_info).content_length;
790 if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) {
791 goto fileupload_done;
792 }
793 }
794
795 while (!multipart_buffer_eof(mbuff))
796 {
797 char buff[FILLUNIT];
798 char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
799 size_t blen = 0, wlen = 0;
800 zend_off_t offset;
801
802 zend_llist_clean(&header);
803
804 if (!multipart_buffer_headers(mbuff, &header)) {
805 goto fileupload_done;
806 }
807
808 if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
809 char *pair = NULL;
810 int end = 0;
811
812 while (isspace(*cd)) {
813 ++cd;
814 }
815
816 while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';')))
817 {
818 char *key = NULL, *word = pair;
819
820 while (isspace(*cd)) {
821 ++cd;
822 }
823
824 if (strchr(pair, '=')) {
825 key = getword(mbuff->input_encoding, &pair, '=');
826
827 if (!strcasecmp(key, "name")) {
828 if (param) {
829 efree(param);
830 }
831 param = getword_conf(mbuff->input_encoding, pair);
832 if (mbuff->input_encoding && internal_encoding) {
833 unsigned char *new_param;
834 size_t new_param_len;
835 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) {
836 efree(param);
837 param = (char *)new_param;
838 }
839 }
840 } else if (!strcasecmp(key, "filename")) {
841 if (filename) {
842 efree(filename);
843 }
844 filename = getword_conf(mbuff->input_encoding, pair);
845 if (mbuff->input_encoding && internal_encoding) {
846 unsigned char *new_filename;
847 size_t new_filename_len;
848 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) {
849 efree(filename);
850 filename = (char *)new_filename;
851 }
852 }
853 }
854 }
855 if (key) {
856 efree(key);
857 }
858 efree(word);
859 }
860
861 /* Normal form variable, safe to read all data into memory */
862 if (!filename && param) {
863 size_t value_len;
864 char *value = multipart_buffer_read_body(mbuff, &value_len);
865 size_t new_val_len; /* Dummy variable */
866
867 if (!value) {
868 value = estrdup("");
869 value_len = 0;
870 }
871
872 if (mbuff->input_encoding && internal_encoding) {
873 unsigned char *new_value;
874 size_t new_value_len;
875 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) {
876 efree(value);
877 value = (char *)new_value;
878 value_len = new_value_len;
879 }
880 }
881
882 if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) {
883 if (php_rfc1867_callback != NULL) {
884 multipart_event_formdata event_formdata;
885 size_t newlength = new_val_len;
886
887 event_formdata.post_bytes_processed = SG(read_post_bytes);
888 event_formdata.name = param;
889 event_formdata.value = &value;
890 event_formdata.length = new_val_len;
891 event_formdata.newlength = &newlength;
892 if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) {
893 efree(param);
894 efree(value);
895 continue;
896 }
897 new_val_len = newlength;
898 }
899 safe_php_register_variable(param, value, new_val_len, array_ptr, 0);
900 } else {
901 if (count == PG(max_input_vars) + 1) {
902 php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
903 }
904
905 if (php_rfc1867_callback != NULL) {
906 multipart_event_formdata event_formdata;
907
908 event_formdata.post_bytes_processed = SG(read_post_bytes);
909 event_formdata.name = param;
910 event_formdata.value = &value;
911 event_formdata.length = value_len;
912 event_formdata.newlength = NULL;
913 php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data);
914 }
915 }
916
917 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
918 #ifdef HAVE_ATOLL
919 max_file_size = atoll(value);
920 #else
921 max_file_size = strtoll(value, NULL, 10);
922 #endif
923 }
924
925 efree(param);
926 efree(value);
927 continue;
928 }
929
930 /* If file_uploads=off, skip the file part */
931 if (!PG(file_uploads)) {
932 skip_upload = 1;
933 } else if (upload_cnt <= 0) {
934 skip_upload = 1;
935 sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
936 }
937
938 /* Return with an error if the posted data is garbled */
939 if (!param && !filename) {
940 sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
941 goto fileupload_done;
942 }
943
944 if (!param) {
945 is_anonymous = 1;
946 param = emalloc(MAX_SIZE_ANONNAME);
947 snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
948 } else {
949 is_anonymous = 0;
950 }
951
952 /* New Rule: never repair potential malicious user input */
953 if (!skip_upload) {
954 long c = 0;
955 tmp = param;
956
957 while (*tmp) {
958 if (*tmp == '[') {
959 c++;
960 } else if (*tmp == ']') {
961 c--;
962 if (tmp[1] && tmp[1] != '[') {
963 skip_upload = 1;
964 break;
965 }
966 }
967 if (c < 0) {
968 skip_upload = 1;
969 break;
970 }
971 tmp++;
972 }
973 /* Brackets should always be closed */
974 if(c != 0) {
975 skip_upload = 1;
976 }
977 }
978
979 total_bytes = cancel_upload = 0;
980 temp_filename = NULL;
981 fd = -1;
982
983 if (!skip_upload && php_rfc1867_callback != NULL) {
984 multipart_event_file_start event_file_start;
985
986 event_file_start.post_bytes_processed = SG(read_post_bytes);
987 event_file_start.name = param;
988 event_file_start.filename = &filename;
989 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) {
990 temp_filename = NULL;
991 efree(param);
992 efree(filename);
993 continue;
994 }
995 }
996
997 if (skip_upload) {
998 efree(param);
999 efree(filename);
1000 continue;
1001 }
1002
1003 if (filename[0] == '\0') {
1004 #if DEBUG_FILE_UPLOAD
1005 sapi_module.sapi_error(E_NOTICE, "No file uploaded");
1006 #endif
1007 cancel_upload = UPLOAD_ERROR_D;
1008 }
1009
1010 offset = 0;
1011 end = 0;
1012
1013 if (!cancel_upload) {
1014 /* only bother to open temp file if we have data */
1015 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1016 #if DEBUG_FILE_UPLOAD
1017 if (blen > 0) {
1018 #else
1019 /* in non-debug mode we have no problem with 0-length files */
1020 {
1021 #endif
1022 fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1);
1023 upload_cnt--;
1024 if (fd == -1) {
1025 sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1026 cancel_upload = UPLOAD_ERROR_E;
1027 }
1028 }
1029 }
1030
1031 while (!cancel_upload && (blen > 0))
1032 {
1033 if (php_rfc1867_callback != NULL) {
1034 multipart_event_file_data event_file_data;
1035
1036 event_file_data.post_bytes_processed = SG(read_post_bytes);
1037 event_file_data.offset = offset;
1038 event_file_data.data = buff;
1039 event_file_data.length = blen;
1040 event_file_data.newlength = &blen;
1041 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) {
1042 cancel_upload = UPLOAD_ERROR_X;
1043 continue;
1044 }
1045 }
1046
1047 if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) {
1048 #if DEBUG_FILE_UPLOAD
1049 sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1050 #endif
1051 cancel_upload = UPLOAD_ERROR_A;
1052 } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
1053 #if DEBUG_FILE_UPLOAD
1054 sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %" PRId64 " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1055 #endif
1056 cancel_upload = UPLOAD_ERROR_B;
1057 } else if (blen > 0) {
1058 #ifdef PHP_WIN32
1059 wlen = write(fd, buff, (unsigned int)blen);
1060 #else
1061 wlen = write(fd, buff, blen);
1062 #endif
1063
1064 if (wlen == (size_t)-1) {
1065 /* write failed */
1066 #if DEBUG_FILE_UPLOAD
1067 sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1068 #endif
1069 cancel_upload = UPLOAD_ERROR_F;
1070 } else if (wlen < blen) {
1071 #if DEBUG_FILE_UPLOAD
1072 sapi_module.sapi_error(E_NOTICE, "Only %zd bytes were written, expected to write %zd", wlen, blen);
1073 #endif
1074 cancel_upload = UPLOAD_ERROR_F;
1075 } else {
1076 total_bytes += wlen;
1077 }
1078 offset += wlen;
1079 }
1080
1081 /* read data for next iteration */
1082 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1083 }
1084
1085 if (fd != -1) { /* may not be initialized if file could not be created */
1086 close(fd);
1087 }
1088
1089 if (!cancel_upload && !end) {
1090 #if DEBUG_FILE_UPLOAD
1091 sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1092 #endif
1093 cancel_upload = UPLOAD_ERROR_C;
1094 }
1095 #if DEBUG_FILE_UPLOAD
1096 if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1097 sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1098 cancel_upload = 5;
1099 }
1100 #endif
1101 if (php_rfc1867_callback != NULL) {
1102 multipart_event_file_end event_file_end;
1103
1104 event_file_end.post_bytes_processed = SG(read_post_bytes);
1105 event_file_end.temp_filename = temp_filename ? ZSTR_VAL(temp_filename) : NULL;
1106 event_file_end.cancel_upload = cancel_upload;
1107 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data) == FAILURE) {
1108 cancel_upload = UPLOAD_ERROR_X;
1109 }
1110 }
1111
1112 if (cancel_upload) {
1113 if (temp_filename) {
1114 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
1115 unlink(ZSTR_VAL(temp_filename));
1116 }
1117 zend_string_release(temp_filename);
1118 }
1119 temp_filename = NULL;
1120 } else {
1121 zend_hash_add_ptr(SG(rfc1867_uploaded_files), temp_filename, temp_filename);
1122 }
1123
1124 /* is_arr_upload is true when name of file upload field
1125 * ends in [.*]
1126 * start_arr is set to point to 1st [ */
1127 is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1128
1129 if (is_arr_upload) {
1130 array_len = strlen(start_arr);
1131 if (array_index) {
1132 efree(array_index);
1133 }
1134 array_index = estrndup(start_arr + 1, array_len - 2);
1135 }
1136
1137 /* Add $foo_name */
1138 if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1139 llen = (int)strlen(param);
1140 lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1141 llen += MAX_SIZE_OF_INDEX + 1;
1142 }
1143
1144 if (is_arr_upload) {
1145 if (abuf) efree(abuf);
1146 abuf = estrndup(param, strlen(param)-array_len);
1147 snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1148 } else {
1149 snprintf(lbuf, llen, "%s_name", param);
1150 }
1151
1152 /* The \ check should technically be needed for win32 systems only where
1153 * it is a valid path separator. However, IE in all it's wisdom always sends
1154 * the full path of the file on the user's filesystem, which means that unless
1155 * the user does basename() they get a bogus file name. Until IE's user base drops
1156 * to nill or problem is fixed this code must remain enabled for all systems. */
1157 s = _basename(internal_encoding, filename);
1158 if (!s) {
1159 s = filename;
1160 }
1161
1162 if (!is_anonymous) {
1163 safe_php_register_variable(lbuf, s, strlen(s), NULL, 0);
1164 }
1165
1166 /* Add $foo[name] */
1167 if (is_arr_upload) {
1168 snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1169 } else {
1170 snprintf(lbuf, llen, "%s[name]", param);
1171 }
1172 register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0);
1173 efree(filename);
1174 s = NULL;
1175
1176 /* Possible Content-Type: */
1177 if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1178 cd = "";
1179 } else {
1180 /* fix for Opera 6.01 */
1181 s = strchr(cd, ';');
1182 if (s != NULL) {
1183 *s = '\0';
1184 }
1185 }
1186
1187 /* Add $foo_type */
1188 if (is_arr_upload) {
1189 snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index);
1190 } else {
1191 snprintf(lbuf, llen, "%s_type", param);
1192 }
1193 if (!is_anonymous) {
1194 safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0);
1195 }
1196
1197 /* Add $foo[type] */
1198 if (is_arr_upload) {
1199 snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1200 } else {
1201 snprintf(lbuf, llen, "%s[type]", param);
1202 }
1203 register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0);
1204
1205 /* Restore Content-Type Header */
1206 if (s != NULL) {
1207 *s = ';';
1208 }
1209 s = "";
1210
1211 {
1212 /* store temp_filename as-is (in case upload_tmp_dir
1213 * contains escapeable characters. escape only the variable name.) */
1214 zval zfilename;
1215
1216 /* Initialize variables */
1217 add_protected_variable(param);
1218
1219 /* if param is of form xxx[.*] this will cut it to xxx */
1220 if (!is_anonymous) {
1221 if (temp_filename) {
1222 ZVAL_STR_COPY(&zfilename, temp_filename);
1223 } else {
1224 ZVAL_EMPTY_STRING(&zfilename);
1225 }
1226 safe_php_register_variable_ex(param, &zfilename, NULL, 1);
1227 }
1228
1229 /* Add $foo[tmp_name] */
1230 if (is_arr_upload) {
1231 snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1232 } else {
1233 snprintf(lbuf, llen, "%s[tmp_name]", param);
1234 }
1235 add_protected_variable(lbuf);
1236 if (temp_filename) {
1237 ZVAL_STR_COPY(&zfilename, temp_filename);
1238 } else {
1239 ZVAL_EMPTY_STRING(&zfilename);
1240 }
1241 register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1);
1242 }
1243
1244 {
1245 zval file_size, error_type;
1246 int size_overflow = 0;
1247 char file_size_buf[65];
1248
1249 ZVAL_LONG(&error_type, cancel_upload);
1250
1251 /* Add $foo[error] */
1252 if (cancel_upload) {
1253 ZVAL_LONG(&file_size, 0);
1254 } else {
1255 if (total_bytes > ZEND_LONG_MAX) {
1256 #ifdef PHP_WIN32
1257 if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1258 file_size_buf[0] = '0';
1259 file_size_buf[1] = '\0';
1260 }
1261 #else
1262 {
1263 int __len = snprintf(file_size_buf, 65, "%" PRId64, total_bytes);
1264 file_size_buf[__len] = '\0';
1265 }
1266 #endif
1267 size_overflow = 1;
1268
1269 } else {
1270 ZVAL_LONG(&file_size, total_bytes);
1271 }
1272 }
1273
1274 if (is_arr_upload) {
1275 snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1276 } else {
1277 snprintf(lbuf, llen, "%s[error]", param);
1278 }
1279 register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0);
1280
1281 /* Add $foo_size */
1282 if (is_arr_upload) {
1283 snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index);
1284 } else {
1285 snprintf(lbuf, llen, "%s_size", param);
1286 }
1287 if (!is_anonymous) {
1288 if (size_overflow) {
1289 ZVAL_STRING(&file_size, file_size_buf);
1290 }
1291 safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow);
1292 }
1293
1294 /* Add $foo[size] */
1295 if (is_arr_upload) {
1296 snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1297 } else {
1298 snprintf(lbuf, llen, "%s[size]", param);
1299 }
1300 if (size_overflow) {
1301 ZVAL_STRING(&file_size, file_size_buf);
1302 }
1303 register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow);
1304 }
1305 efree(param);
1306 }
1307 }
1308
1309 fileupload_done:
1310 if (php_rfc1867_callback != NULL) {
1311 multipart_event_end event_end;
1312
1313 event_end.post_bytes_processed = SG(read_post_bytes);
1314 php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data);
1315 }
1316
1317 if (lbuf) efree(lbuf);
1318 if (abuf) efree(abuf);
1319 if (array_index) efree(array_index);
1320 zend_hash_destroy(&PG(rfc1867_protected_variables));
1321 zend_llist_destroy(&header);
1322 if (mbuff->boundary_next) efree(mbuff->boundary_next);
1323 if (mbuff->boundary) efree(mbuff->boundary);
1324 if (mbuff->buffer) efree(mbuff->buffer);
1325 if (mbuff) efree(mbuff);
1326 }
1327 /* }}} */
1328
1329 SAPI_API void php_rfc1867_set_multibyte_callbacks(
1330 php_rfc1867_encoding_translation_t encoding_translation,
1331 php_rfc1867_get_detect_order_t get_detect_order,
1332 php_rfc1867_set_input_encoding_t set_input_encoding,
1333 php_rfc1867_getword_t getword,
1334 php_rfc1867_getword_conf_t getword_conf,
1335 php_rfc1867_basename_t basename) /* {{{ */
1336 {
1337 php_rfc1867_encoding_translation = encoding_translation;
1338 php_rfc1867_get_detect_order = get_detect_order;
1339 php_rfc1867_set_input_encoding = set_input_encoding;
1340 php_rfc1867_getword = getword;
1341 php_rfc1867_getword_conf = getword_conf;
1342 php_rfc1867_basename = basename;
1343 }
1344 /* }}} */
1345
1346 /*
1347 * Local variables:
1348 * tab-width: 4
1349 * c-basic-offset: 4
1350 * End:
1351 * vim600: sw=4 ts=4 fdm=marker
1352 * vim<600: sw=4 ts=4
1353 */
1354
