1 /*
2 +----------------------------------------------------------------------+
3 | Copyright (c) The PHP Group |
4 +----------------------------------------------------------------------+
5 | This source file is subject to version 3.01 of the PHP license, |
6 | that is bundled with this package in the file LICENSE, and is |
7 | available through the world-wide-web at the following url: |
8 | https://www.php.net/license/3_01.txt |
9 | If you did not receive a copy of the PHP license and are unable to |
10 | obtain it through the world-wide-web, please send a note to |
11 | license@php.net so we can mail you a copy immediately. |
12 +----------------------------------------------------------------------+
13 | Authors: Rasmus Lerdorf <rasmus@php.net> |
14 | Jani Taskinen <jani@php.net> |
15 +----------------------------------------------------------------------+
16 */
17
18 /*
19 * This product includes software developed by the Apache Group
20 * for use in the Apache HTTP server project (http://www.apache.org/).
21 *
22 */
23
24 #include <stdio.h>
25 #include "php.h"
26 #include "php_open_temporary_file.h"
27 #include "zend_globals.h"
28 #include "php_globals.h"
29 #include "php_variables.h"
30 #include "rfc1867.h"
31 #include "zend_smart_string.h"
32
33 #ifndef DEBUG_FILE_UPLOAD
34 # define DEBUG_FILE_UPLOAD 0
35 #endif
36
dummy_encoding_translation(void)37 static int dummy_encoding_translation(void)
38 {
39 return 0;
40 }
41
42 static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop);
43 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str);
44
45 static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
46 static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
47 static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
48 static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
49 static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
50 static php_rfc1867_basename_t php_rfc1867_basename = NULL;
51
52 PHPAPI zend_result (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
53
54 static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, bool override_protection);
55
56 /* The longest property name we use in an uploaded file array */
57 #define MAX_SIZE_OF_INDEX sizeof("[full_path]")
58
59 /* The longest anonymous name */
60 #define MAX_SIZE_ANONNAME 33
61
normalize_protected_variable(char * varname)62 static void normalize_protected_variable(char *varname) /* {{{ */
63 {
64 char *s = varname, *index = NULL, *indexend = NULL, *p;
65
66 /* skip leading space */
67 while (*s == ' ') {
68 s++;
69 }
70
71 /* and remove it */
72 if (s != varname) {
73 memmove(varname, s, strlen(s)+1);
74 }
75
76 for (p = varname; *p && *p != '['; p++) {
77 switch(*p) {
78 case ' ':
79 case '.':
80 *p = '_';
81 break;
82 }
83 }
84
85 /* find index */
86 index = strchr(varname, '[');
87 if (index) {
88 index++;
89 s = index;
90 } else {
91 return;
92 }
93
94 /* done? */
95 while (index) {
96 while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
97 index++;
98 }
99 indexend = strchr(index, ']');
100 indexend = indexend ? indexend + 1 : index + strlen(index);
101
102 if (s != index) {
103 memmove(s, index, strlen(index)+1);
104 s += indexend-index;
105 } else {
106 s = indexend;
107 }
108
109 if (*s == '[') {
110 s++;
111 index = s;
112 } else {
113 index = NULL;
114 }
115 }
116 *s = '\0';
117 }
118 /* }}} */
119
add_protected_variable(char * varname)120 static void add_protected_variable(char *varname) /* {{{ */
121 {
122 normalize_protected_variable(varname);
123 zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname));
124 }
125 /* }}} */
126
is_protected_variable(char * varname)127 static bool is_protected_variable(char *varname) /* {{{ */
128 {
129 normalize_protected_variable(varname);
130 return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname));
131 }
132 /* }}} */
133
safe_php_register_variable(char * var,char * strval,size_t val_len,zval * track_vars_array,bool override_protection)134 static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, bool override_protection) /* {{{ */
135 {
136 if (override_protection || !is_protected_variable(var)) {
137 php_register_variable_safe(var, strval, val_len, track_vars_array);
138 }
139 }
140 /* }}} */
141
safe_php_register_variable_ex(char * var,zval * val,zval * track_vars_array,bool override_protection)142 static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, bool override_protection) /* {{{ */
143 {
144 if (override_protection || !is_protected_variable(var)) {
145 php_register_variable_ex(var, val, track_vars_array);
146 }
147 }
148 /* }}} */
149
register_http_post_files_variable(char * strvar,char * val,zval * http_post_files,bool override_protection)150 static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, bool override_protection) /* {{{ */
151 {
152 safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection);
153 }
154 /* }}} */
155
register_http_post_files_variable_ex(char * var,zval * val,zval * http_post_files,bool override_protection)156 static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, bool override_protection) /* {{{ */
157 {
158 safe_php_register_variable_ex(var, val, http_post_files, override_protection);
159 }
160 /* }}} */
161
free_filename(zval * el)162 static void free_filename(zval *el) {
163 zend_string *filename = Z_STR_P(el);
164 zend_string_release_ex(filename, 0);
165 }
166
destroy_uploaded_files_hash(void)167 PHPAPI void destroy_uploaded_files_hash(void) /* {{{ */
168 {
169 zval *el;
170
171 ZEND_HASH_MAP_FOREACH_VAL(SG(rfc1867_uploaded_files), el) {
172 zend_string *filename = Z_STR_P(el);
173 VCWD_UNLINK(ZSTR_VAL(filename));
174 } ZEND_HASH_FOREACH_END();
175 zend_hash_destroy(SG(rfc1867_uploaded_files));
176 FREE_HASHTABLE(SG(rfc1867_uploaded_files));
177 SG(rfc1867_uploaded_files) = NULL;
178 }
179 /* }}} */
180
181 /* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
182
183 #define FILLUNIT (1024 * 5)
184
185 typedef struct {
186
187 /* read buffer */
188 char *buffer;
189 char *buf_begin;
190 int bufsize;
191 int bytes_in_buffer;
192
193 /* boundary info */
194 char *boundary;
195 char *boundary_next;
196 int boundary_next_len;
197
198 const zend_encoding *input_encoding;
199 const zend_encoding **detect_order;
200 size_t detect_order_size;
201 } multipart_buffer;
202
203 typedef struct {
204 char *key;
205 char *value;
206 } mime_header_entry;
207
208 /*
209 * Fill up the buffer with client data.
210 * Returns number of bytes added to buffer.
211 */
fill_buffer(multipart_buffer * self)212 static int fill_buffer(multipart_buffer *self)
213 {
214 int bytes_to_read, total_read = 0, actual_read = 0;
215
216 /* shift the existing data if necessary */
217 if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
218 memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
219 }
220
221 self->buf_begin = self->buffer;
222
223 /* calculate the free space in the buffer */
224 bytes_to_read = self->bufsize - self->bytes_in_buffer;
225
226 /* read the required number of bytes */
227 while (bytes_to_read > 0) {
228
229 char *buf = self->buffer + self->bytes_in_buffer;
230
231 actual_read = (int)sapi_module.read_post(buf, bytes_to_read);
232
233 /* update the buffer length */
234 if (actual_read > 0) {
235 self->bytes_in_buffer += actual_read;
236 SG(read_post_bytes) += actual_read;
237 total_read += actual_read;
238 bytes_to_read -= actual_read;
239 } else {
240 break;
241 }
242 }
243
244 return total_read;
245 }
246
247 /* eof if we are out of bytes, or if we hit the final boundary */
multipart_buffer_eof(multipart_buffer * self)248 static int multipart_buffer_eof(multipart_buffer *self)
249 {
250 return self->bytes_in_buffer == 0 && fill_buffer(self) < 1;
251 }
252
253 /* create new multipart_buffer structure */
multipart_buffer_new(char * boundary,int boundary_len)254 static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len)
255 {
256 multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
257
258 int minsize = boundary_len + 6;
259 if (minsize < FILLUNIT) minsize = FILLUNIT;
260
261 self->buffer = (char *) ecalloc(1, minsize + 1);
262 self->bufsize = minsize;
263
264 spprintf(&self->boundary, 0, "--%s", boundary);
265
266 self->boundary_next_len = (int)spprintf(&self->boundary_next, 0, "\n--%s", boundary);
267
268 self->buf_begin = self->buffer;
269 self->bytes_in_buffer = 0;
270
271 if (php_rfc1867_encoding_translation()) {
272 php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size);
273 } else {
274 self->detect_order = NULL;
275 self->detect_order_size = 0;
276 }
277
278 self->input_encoding = NULL;
279
280 return self;
281 }
282
283 /*
284 * Gets the next CRLF terminated line from the input buffer.
285 * If it doesn't find a CRLF, and the buffer isn't completely full, returns
286 * NULL; otherwise, returns the beginning of the null-terminated line,
287 * minus the CRLF.
288 *
289 * Note that we really just look for LF terminated lines. This works
290 * around a bug in internet explorer for the macintosh which sends mime
291 * boundaries that are only LF terminated when you use an image submit
292 * button in a multipart/form-data form.
293 */
next_line(multipart_buffer * self)294 static char *next_line(multipart_buffer *self)
295 {
296 /* look for LF in the data */
297 char* line = self->buf_begin;
298 char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
299
300 if (ptr) { /* LF found */
301
302 /* terminate the string, remove CRLF */
303 if ((ptr - line) > 0 && *(ptr-1) == '\r') {
304 *(ptr-1) = 0;
305 } else {
306 *ptr = 0;
307 }
308
309 /* bump the pointer */
310 self->buf_begin = ptr + 1;
311 self->bytes_in_buffer -= (self->buf_begin - line);
312
313 } else { /* no LF found */
314
315 /* buffer isn't completely full, fail */
316 if (self->bytes_in_buffer < self->bufsize) {
317 return NULL;
318 }
319 /* return entire buffer as a partial line */
320 line[self->bufsize] = 0;
321 self->buf_begin = ptr;
322 self->bytes_in_buffer = 0;
323 }
324
325 return line;
326 }
327
328 /* Returns the next CRLF terminated line from the client */
get_line(multipart_buffer * self)329 static char *get_line(multipart_buffer *self)
330 {
331 char* ptr = next_line(self);
332
333 if (!ptr) {
334 fill_buffer(self);
335 ptr = next_line(self);
336 }
337
338 return ptr;
339 }
340
341 /* Free header entry */
php_free_hdr_entry(mime_header_entry * h)342 static void php_free_hdr_entry(mime_header_entry *h)
343 {
344 if (h->key) {
345 efree(h->key);
346 }
347 if (h->value) {
348 efree(h->value);
349 }
350 }
351
352 /* finds a boundary */
find_boundary(multipart_buffer * self,char * boundary)353 static int find_boundary(multipart_buffer *self, char *boundary)
354 {
355 char *line;
356
357 /* loop through lines */
358 while( (line = get_line(self)) )
359 {
360 /* finished if we found the boundary */
361 if (!strcmp(line, boundary)) {
362 return 1;
363 }
364 }
365
366 /* didn't find the boundary */
367 return 0;
368 }
369
370 /* parse headers */
multipart_buffer_headers(multipart_buffer * self,zend_llist * header)371 static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
372 {
373 char *line;
374 mime_header_entry entry = {0};
375 smart_string buf_value = {0};
376 char *key = NULL;
377
378 /* didn't find boundary, abort */
379 if (!find_boundary(self, self->boundary)) {
380 return 0;
381 }
382
383 /* get lines of text, or CRLF_CRLF */
384
385 while ((line = get_line(self)) && line[0] != '\0') {
386 /* add header to table */
387 char *value = NULL;
388
389 if (php_rfc1867_encoding_translation()) {
390 self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);
391 }
392
393 /* space in the beginning means same header */
394 if (!isspace(line[0])) {
395 value = strchr(line, ':');
396 }
397
398 if (value) {
399 if (buf_value.c && key) {
400 /* new entry, add the old one to the list */
401 smart_string_0(&buf_value);
402 entry.key = key;
403 entry.value = buf_value.c;
404 zend_llist_add_element(header, &entry);
405 buf_value.c = NULL;
406 key = NULL;
407 }
408
409 *value = '\0';
410 do { value++; } while (isspace(*value));
411
412 key = estrdup(line);
413 smart_string_appends(&buf_value, value);
414 } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
415 smart_string_appends(&buf_value, line);
416 } else {
417 continue;
418 }
419 }
420
421 if (buf_value.c && key) {
422 /* add the last one to the list */
423 smart_string_0(&buf_value);
424 entry.key = key;
425 entry.value = buf_value.c;
426 zend_llist_add_element(header, &entry);
427 }
428
429 return 1;
430 }
431
php_mime_get_hdr_value(zend_llist header,char * key)432 static char *php_mime_get_hdr_value(zend_llist header, char *key)
433 {
434 mime_header_entry *entry;
435
436 if (key == NULL) {
437 return NULL;
438 }
439
440 entry = zend_llist_get_first(&header);
441 while (entry) {
442 if (!strcasecmp(entry->key, key)) {
443 return entry->value;
444 }
445 entry = zend_llist_get_next(&header);
446 }
447
448 return NULL;
449 }
450
php_ap_getword(const zend_encoding * encoding,char ** line,char stop)451 static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop)
452 {
453 char *pos = *line, quote;
454 char *res;
455
456 while (*pos && *pos != stop) {
457 if ((quote = *pos) == '"' || quote == '\'') {
458 ++pos;
459 while (*pos && *pos != quote) {
460 if (*pos == '\\' && pos[1] && pos[1] == quote) {
461 pos += 2;
462 } else {
463 ++pos;
464 }
465 }
466 if (*pos) {
467 ++pos;
468 }
469 } else ++pos;
470 }
471 if (*pos == '\0') {
472 res = estrdup(*line);
473 *line += strlen(*line);
474 return res;
475 }
476
477 res = estrndup(*line, pos - *line);
478
479 while (*pos == stop) {
480 ++pos;
481 }
482
483 *line = pos;
484 return res;
485 }
486
substring_conf(char * start,int len,char quote)487 static char *substring_conf(char *start, int len, char quote)
488 {
489 char *result = emalloc(len + 1);
490 char *resp = result;
491 int i;
492
493 for (i = 0; i < len && start[i] != quote; ++i) {
494 if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
495 *resp++ = start[++i];
496 } else {
497 *resp++ = start[i];
498 }
499 }
500
501 *resp = '\0';
502 return result;
503 }
504
php_ap_getword_conf(const zend_encoding * encoding,char * str)505 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
506 {
507 while (*str && isspace(*str)) {
508 ++str;
509 }
510
511 if (!*str) {
512 return estrdup("");
513 }
514
515 if (*str == '"' || *str == '\'') {
516 char quote = *str;
517
518 str++;
519 return substring_conf(str, (int)strlen(str), quote);
520 } else {
521 char *strend = str;
522
523 while (*strend && !isspace(*strend)) {
524 ++strend;
525 }
526 return substring_conf(str, strend - str, 0);
527 }
528 }
529
php_ap_basename(const zend_encoding * encoding,char * path)530 static char *php_ap_basename(const zend_encoding *encoding, char *path)
531 {
532 char *s = strrchr(path, '\\');
533 char *s2 = strrchr(path, '/');
534
535 if (s && s2) {
536 if (s > s2) {
537 ++s;
538 } else {
539 s = ++s2;
540 }
541 return s;
542 } else if (s) {
543 return ++s;
544 } else if (s2) {
545 return ++s2;
546 }
547 return path;
548 }
549
550 /*
551 * Search for a string in a fixed-length byte string.
552 * If partial is true, partial matches are allowed at the end of the buffer.
553 * Returns NULL if not found, or a pointer to the start of the first match.
554 */
php_ap_memstr(char * haystack,int haystacklen,char * needle,int needlen,int partial)555 static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
556 {
557 int len = haystacklen;
558 char *ptr = haystack;
559
560 /* iterate through first character matches */
561 while( (ptr = memchr(ptr, needle[0], len)) ) {
562
563 /* calculate length after match */
564 len = haystacklen - (ptr - (char *)haystack);
565
566 /* done if matches up to capacity of buffer */
567 if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
568 break;
569 }
570
571 /* next character */
572 ptr++; len--;
573 }
574
575 return ptr;
576 }
577
578 /* read until a boundary condition */
multipart_buffer_read(multipart_buffer * self,char * buf,size_t bytes,int * end)579 static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
580 {
581 size_t len, max;
582 char *bound;
583
584 /* fill buffer if needed */
585 if (bytes > (size_t)self->bytes_in_buffer) {
586 fill_buffer(self);
587 }
588
589 /* look for a potential boundary match, only read data up to that point */
590 if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
591 max = bound - self->buf_begin;
592 if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
593 *end = 1;
594 }
595 } else {
596 max = self->bytes_in_buffer;
597 }
598
599 /* maximum number of bytes we are reading */
600 len = max < bytes-1 ? max : bytes-1;
601
602 /* if we read any data... */
603 if (len > 0) {
604
605 /* copy the data */
606 memcpy(buf, self->buf_begin, len);
607 buf[len] = 0;
608
609 if (bound && len > 0 && buf[len-1] == '\r') {
610 buf[--len] = 0;
611 }
612
613 /* update the buffer */
614 self->bytes_in_buffer -= (int)len;
615 self->buf_begin += len;
616 }
617
618 return len;
619 }
620
621 /*
622 XXX: this is horrible memory-usage-wise, but we only expect
623 to do this on small pieces of form data.
624 */
multipart_buffer_read_body(multipart_buffer * self,size_t * len)625 static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
626 {
627 char buf[FILLUNIT], *out=NULL;
628 size_t total_bytes=0, read_bytes=0;
629
630 while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
631 out = erealloc(out, total_bytes + read_bytes + 1);
632 memcpy(out + total_bytes, buf, read_bytes);
633 total_bytes += read_bytes;
634 }
635
636 if (out) {
637 out[total_bytes] = '\0';
638 }
639 *len = total_bytes;
640
641 return out;
642 }
643 /* }}} */
644
645 /*
646 * The combined READER/HANDLER
647 *
648 */
649
SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)650 SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
651 {
652 char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
653 char *lbuf = NULL, *abuf = NULL;
654 zend_string *temp_filename = NULL;
655 int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
656 size_t array_len = 0;
657 int64_t total_bytes = 0, max_file_size = 0;
658 int skip_upload = 0, anonymous_index = 0;
659 HashTable *uploaded_files = NULL;
660 multipart_buffer *mbuff;
661 zval *array_ptr = (zval *) arg;
662 int fd = -1;
663 zend_llist header;
664 void *event_extra_data = NULL;
665 unsigned int llen = 0;
666 int upload_cnt = INI_INT("max_file_uploads");
667 int body_parts_cnt = INI_INT("max_multipart_body_parts");
668 const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
669 php_rfc1867_getword_t getword;
670 php_rfc1867_getword_conf_t getword_conf;
671 php_rfc1867_basename_t _basename;
672 zend_long count = 0;
673
674 if (php_rfc1867_encoding_translation() && internal_encoding) {
675 getword = php_rfc1867_getword;
676 getword_conf = php_rfc1867_getword_conf;
677 _basename = php_rfc1867_basename;
678 } else {
679 getword = php_ap_getword;
680 getword_conf = php_ap_getword_conf;
681 _basename = php_ap_basename;
682 }
683
684 if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
685 sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size));
686 return;
687 }
688
689 if (body_parts_cnt < 0) {
690 body_parts_cnt = PG(max_input_vars) + upload_cnt;
691 }
692 int body_parts_limit = body_parts_cnt;
693
694 /* Get the boundary */
695 boundary = strstr(content_type_dup, "boundary");
696 if (!boundary) {
697 int content_type_len = (int)strlen(content_type_dup);
698 char *content_type_lcase = estrndup(content_type_dup, content_type_len);
699
700 zend_str_tolower(content_type_lcase, content_type_len);
701 boundary = strstr(content_type_lcase, "boundary");
702 if (boundary) {
703 boundary = content_type_dup + (boundary - content_type_lcase);
704 }
705 efree(content_type_lcase);
706 }
707
708 if (!boundary || !(boundary = strchr(boundary, '='))) {
709 sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
710 return;
711 }
712
713 boundary++;
714 boundary_len = (int)strlen(boundary);
715
716 if (boundary[0] == '"') {
717 boundary++;
718 boundary_end = strchr(boundary, '"');
719 if (!boundary_end) {
720 sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
721 return;
722 }
723 } else {
724 /* search for the end of the boundary */
725 boundary_end = strpbrk(boundary, ",;");
726 }
727 if (boundary_end) {
728 boundary_end[0] = '\0';
729 boundary_len = boundary_end-boundary;
730 }
731
732 /* Boundaries larger than FILLUNIT-strlen("\r\n--") characters lead to
733 * erroneous parsing */
734 if (boundary_len > FILLUNIT-strlen("\r\n--")) {
735 sapi_module.sapi_error(E_WARNING, "Boundary too large in multipart/form-data POST data");
736 return;
737 }
738
739 /* Initialize the buffer */
740 if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
741 sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
742 return;
743 }
744
745 /* Initialize $_FILES[] */
746 zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);
747
748 ALLOC_HASHTABLE(uploaded_files);
749 zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
750 SG(rfc1867_uploaded_files) = uploaded_files;
751
752 if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) {
753 /* php_auto_globals_create_files() might have already done that */
754 array_init(&PG(http_globals)[TRACK_VARS_FILES]);
755 }
756
757 zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
758
759 if (php_rfc1867_callback != NULL) {
760 multipart_event_start event_start;
761
762 event_start.content_length = SG(request_info).content_length;
763 if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) {
764 goto fileupload_done;
765 }
766 }
767
768 while (!multipart_buffer_eof(mbuff))
769 {
770 char buff[FILLUNIT];
771 char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
772 size_t blen = 0, wlen = 0;
773 zend_off_t offset;
774
775 zend_llist_clean(&header);
776
777 if (!multipart_buffer_headers(mbuff, &header)) {
778 goto fileupload_done;
779 }
780
781 if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
782 char *pair = NULL;
783 int end = 0;
784
785 if (--body_parts_cnt < 0) {
786 php_error_docref(NULL, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
787 goto fileupload_done;
788 }
789
790 while (isspace(*cd)) {
791 ++cd;
792 }
793
794 while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';')))
795 {
796 char *key = NULL, *word = pair;
797
798 while (isspace(*cd)) {
799 ++cd;
800 }
801
802 if (strchr(pair, '=')) {
803 key = getword(mbuff->input_encoding, &pair, '=');
804
805 if (!strcasecmp(key, "name")) {
806 if (param) {
807 efree(param);
808 }
809 param = getword_conf(mbuff->input_encoding, pair);
810 if (mbuff->input_encoding && internal_encoding) {
811 unsigned char *new_param;
812 size_t new_param_len;
813 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) {
814 efree(param);
815 param = (char *)new_param;
816 }
817 }
818 } else if (!strcasecmp(key, "filename")) {
819 if (filename) {
820 efree(filename);
821 }
822 filename = getword_conf(mbuff->input_encoding, pair);
823 if (mbuff->input_encoding && internal_encoding) {
824 unsigned char *new_filename;
825 size_t new_filename_len;
826 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) {
827 efree(filename);
828 filename = (char *)new_filename;
829 }
830 }
831 }
832 }
833 if (key) {
834 efree(key);
835 }
836 efree(word);
837 }
838
839 /* Normal form variable, safe to read all data into memory */
840 if (!filename && param) {
841 size_t value_len;
842 char *value = multipart_buffer_read_body(mbuff, &value_len);
843 size_t new_val_len; /* Dummy variable */
844
845 if (!value) {
846 value = estrdup("");
847 value_len = 0;
848 }
849
850 if (mbuff->input_encoding && internal_encoding) {
851 unsigned char *new_value;
852 size_t new_value_len;
853 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) {
854 efree(value);
855 value = (char *)new_value;
856 value_len = new_value_len;
857 }
858 }
859
860 if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) {
861 if (php_rfc1867_callback != NULL) {
862 multipart_event_formdata event_formdata;
863 size_t newlength = new_val_len;
864
865 event_formdata.post_bytes_processed = SG(read_post_bytes);
866 event_formdata.name = param;
867 event_formdata.value = &value;
868 event_formdata.length = new_val_len;
869 event_formdata.newlength = &newlength;
870 if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) {
871 efree(param);
872 efree(value);
873 continue;
874 }
875 new_val_len = newlength;
876 }
877 safe_php_register_variable(param, value, new_val_len, array_ptr, 0);
878 } else {
879 if (count == PG(max_input_vars) + 1) {
880 php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
881 }
882
883 if (php_rfc1867_callback != NULL) {
884 multipart_event_formdata event_formdata;
885
886 event_formdata.post_bytes_processed = SG(read_post_bytes);
887 event_formdata.name = param;
888 event_formdata.value = &value;
889 event_formdata.length = value_len;
890 event_formdata.newlength = NULL;
891 php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data);
892 }
893 }
894
895 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
896 max_file_size = strtoll(value, NULL, 10);
897 }
898
899 efree(param);
900 efree(value);
901 continue;
902 }
903
904 /* If file_uploads=off, skip the file part */
905 if (!PG(file_uploads)) {
906 skip_upload = 1;
907 } else if (upload_cnt <= 0) {
908 skip_upload = 1;
909 if (upload_cnt == 0) {
910 --upload_cnt;
911 sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
912 }
913 }
914
915 /* Return with an error if the posted data is garbled */
916 if (!param && !filename) {
917 sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
918 goto fileupload_done;
919 }
920
921 if (!param) {
922 param = emalloc(MAX_SIZE_ANONNAME);
923 snprintf(param, MAX_SIZE_ANONNAME, "%u", anonymous_index++);
924 }
925
926 /* New Rule: never repair potential malicious user input */
927 if (!skip_upload) {
928 long c = 0;
929 tmp = param;
930
931 while (*tmp) {
932 if (*tmp == '[') {
933 c++;
934 } else if (*tmp == ']') {
935 c--;
936 if (tmp[1] && tmp[1] != '[') {
937 skip_upload = 1;
938 break;
939 }
940 }
941 if (c < 0) {
942 skip_upload = 1;
943 break;
944 }
945 tmp++;
946 }
947 /* Brackets should always be closed */
948 if(c != 0) {
949 skip_upload = 1;
950 }
951 }
952
953 total_bytes = cancel_upload = 0;
954 temp_filename = NULL;
955 fd = -1;
956
957 if (!skip_upload && php_rfc1867_callback != NULL) {
958 multipart_event_file_start event_file_start;
959
960 event_file_start.post_bytes_processed = SG(read_post_bytes);
961 event_file_start.name = param;
962 event_file_start.filename = &filename;
963 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) {
964 temp_filename = NULL;
965 efree(param);
966 efree(filename);
967 continue;
968 }
969 }
970
971 if (skip_upload) {
972 efree(param);
973 efree(filename);
974 continue;
975 }
976
977 if (filename[0] == '\0') {
978 #if DEBUG_FILE_UPLOAD
979 sapi_module.sapi_error(E_NOTICE, "No file uploaded");
980 #endif
981 cancel_upload = PHP_UPLOAD_ERROR_D;
982 }
983
984 offset = 0;
985 end = 0;
986
987 if (!cancel_upload) {
988 /* only bother to open temp file if we have data */
989 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
990 #if DEBUG_FILE_UPLOAD
991 if (blen > 0) {
992 #else
993 /* in non-debug mode we have no problem with 0-length files */
994 {
995 #endif
996 fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK);
997 upload_cnt--;
998 if (fd == -1) {
999 sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1000 cancel_upload = PHP_UPLOAD_ERROR_E;
1001 }
1002 }
1003 }
1004
1005 while (!cancel_upload && (blen > 0))
1006 {
1007 if (php_rfc1867_callback != NULL) {
1008 multipart_event_file_data event_file_data;
1009
1010 event_file_data.post_bytes_processed = SG(read_post_bytes);
1011 event_file_data.offset = offset;
1012 event_file_data.data = buff;
1013 event_file_data.length = blen;
1014 event_file_data.newlength = &blen;
1015 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) {
1016 cancel_upload = PHP_UPLOAD_ERROR_X;
1017 continue;
1018 }
1019 }
1020
1021 if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) {
1022 #if DEBUG_FILE_UPLOAD
1023 sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1024 #endif
1025 cancel_upload = PHP_UPLOAD_ERROR_A;
1026 } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
1027 #if DEBUG_FILE_UPLOAD
1028 sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %" PRId64 " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1029 #endif
1030 cancel_upload = PHP_UPLOAD_ERROR_B;
1031 } else if (blen > 0) {
1032 #ifdef PHP_WIN32
1033 wlen = write(fd, buff, (unsigned int)blen);
1034 #else
1035 wlen = write(fd, buff, blen);
1036 #endif
1037
1038 if (wlen == (size_t)-1) {
1039 /* write failed */
1040 #if DEBUG_FILE_UPLOAD
1041 sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1042 #endif
1043 cancel_upload = PHP_UPLOAD_ERROR_F;
1044 } else if (wlen < blen) {
1045 #if DEBUG_FILE_UPLOAD
1046 sapi_module.sapi_error(E_NOTICE, "Only %zd bytes were written, expected to write %zd", wlen, blen);
1047 #endif
1048 cancel_upload = PHP_UPLOAD_ERROR_F;
1049 } else {
1050 total_bytes += wlen;
1051 }
1052 offset += wlen;
1053 }
1054
1055 /* read data for next iteration */
1056 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1057 }
1058
1059 if (fd != -1) { /* may not be initialized if file could not be created */
1060 close(fd);
1061 }
1062
1063 if (!cancel_upload && !end) {
1064 #if DEBUG_FILE_UPLOAD
1065 sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1066 #endif
1067 cancel_upload = PHP_UPLOAD_ERROR_C;
1068 }
1069 #if DEBUG_FILE_UPLOAD
1070 if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1071 sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1072 cancel_upload = 5;
1073 }
1074 #endif
1075 if (php_rfc1867_callback != NULL) {
1076 multipart_event_file_end event_file_end;
1077
1078 event_file_end.post_bytes_processed = SG(read_post_bytes);
1079 event_file_end.temp_filename = temp_filename ? ZSTR_VAL(temp_filename) : NULL;
1080 event_file_end.cancel_upload = cancel_upload;
1081 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data) == FAILURE) {
1082 cancel_upload = PHP_UPLOAD_ERROR_X;
1083 }
1084 }
1085
1086 if (cancel_upload) {
1087 if (temp_filename) {
1088 if (cancel_upload != PHP_UPLOAD_ERROR_E) { /* file creation failed */
1089 unlink(ZSTR_VAL(temp_filename));
1090 }
1091 zend_string_release_ex(temp_filename, 0);
1092 }
1093 temp_filename = NULL;
1094 } else {
1095 zend_hash_add_ptr(SG(rfc1867_uploaded_files), temp_filename, temp_filename);
1096 }
1097
1098 /* is_arr_upload is true when name of file upload field
1099 * ends in [.*]
1100 * start_arr is set to point to 1st [ */
1101 is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1102
1103 if (is_arr_upload) {
1104 array_len = strlen(start_arr);
1105 if (array_index) {
1106 efree(array_index);
1107 }
1108 array_index = estrndup(start_arr + 1, array_len - 2);
1109 }
1110
1111 /* Add $foo_name */
1112 if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1113 llen = (int)strlen(param);
1114 lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1115 llen += MAX_SIZE_OF_INDEX + 1;
1116 }
1117
1118 if (is_arr_upload) {
1119 if (abuf) efree(abuf);
1120 abuf = estrndup(param, strlen(param)-array_len);
1121 snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1122 } else {
1123 snprintf(lbuf, llen, "%s_name", param);
1124 }
1125
1126 /* Pursuant to RFC 7578, strip any path components in the
1127 * user-supplied file name:
1128 * > If a "filename" parameter is supplied ... do not use
1129 * > directory path information that may be present."
1130 */
1131 s = _basename(internal_encoding, filename);
1132 if (!s) {
1133 s = filename;
1134 }
1135
1136 /* Add $foo[name] */
1137 if (is_arr_upload) {
1138 snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1139 } else {
1140 snprintf(lbuf, llen, "%s[name]", param);
1141 }
1142 register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0);
1143 s = NULL;
1144
1145 /* Add full path of supplied file for folder uploads via
1146 * <input type="file" name="files" multiple webkitdirectory>
1147 */
1148 /* Add $foo[full_path] */
1149 if (is_arr_upload) {
1150 snprintf(lbuf, llen, "%s[full_path][%s]", abuf, array_index);
1151 } else {
1152 snprintf(lbuf, llen, "%s[full_path]", param);
1153 }
1154 register_http_post_files_variable(lbuf, filename, &PG(http_globals)[TRACK_VARS_FILES], 0);
1155 efree(filename);
1156
1157 /* Possible Content-Type: */
1158 if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1159 cd = "";
1160 } else {
1161 /* fix for Opera 6.01 */
1162 s = strchr(cd, ';');
1163 if (s != NULL) {
1164 *s = '\0';
1165 }
1166 }
1167
1168 /* Add $foo[type] */
1169 if (is_arr_upload) {
1170 snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1171 } else {
1172 snprintf(lbuf, llen, "%s[type]", param);
1173 }
1174 register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0);
1175
1176 /* Restore Content-Type Header */
1177 if (s != NULL) {
1178 *s = ';';
1179 }
1180 s = "";
1181
1182 {
1183 /* store temp_filename as-is (in case upload_tmp_dir
1184 * contains escapable characters. escape only the variable name.) */
1185 zval zfilename;
1186
1187 /* Initialize variables */
1188 add_protected_variable(param);
1189
1190 /* Add $foo[tmp_name] */
1191 if (is_arr_upload) {
1192 snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1193 } else {
1194 snprintf(lbuf, llen, "%s[tmp_name]", param);
1195 }
1196 add_protected_variable(lbuf);
1197 if (temp_filename) {
1198 ZVAL_STR_COPY(&zfilename, temp_filename);
1199 } else {
1200 ZVAL_EMPTY_STRING(&zfilename);
1201 }
1202 register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1);
1203 }
1204
1205 {
1206 zval file_size, error_type;
1207 int size_overflow = 0;
1208 char file_size_buf[65];
1209
1210 ZVAL_LONG(&error_type, cancel_upload);
1211
1212 /* Add $foo[error] */
1213 if (cancel_upload) {
1214 ZVAL_LONG(&file_size, 0);
1215 } else {
1216 if (total_bytes > ZEND_LONG_MAX) {
1217 #ifdef PHP_WIN32
1218 if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1219 file_size_buf[0] = '0';
1220 file_size_buf[1] = '\0';
1221 }
1222 #else
1223 {
1224 int __len = snprintf(file_size_buf, 65, "%" PRId64, total_bytes);
1225 file_size_buf[__len] = '\0';
1226 }
1227 #endif
1228 size_overflow = 1;
1229
1230 } else {
1231 ZVAL_LONG(&file_size, total_bytes);
1232 }
1233 }
1234
1235 if (is_arr_upload) {
1236 snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1237 } else {
1238 snprintf(lbuf, llen, "%s[error]", param);
1239 }
1240 register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0);
1241
1242 /* Add $foo[size] */
1243 if (is_arr_upload) {
1244 snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1245 } else {
1246 snprintf(lbuf, llen, "%s[size]", param);
1247 }
1248 if (size_overflow) {
1249 ZVAL_STRING(&file_size, file_size_buf);
1250 }
1251 register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow);
1252 }
1253 efree(param);
1254 }
1255 }
1256
1257 fileupload_done:
1258 if (php_rfc1867_callback != NULL) {
1259 multipart_event_end event_end;
1260
1261 event_end.post_bytes_processed = SG(read_post_bytes);
1262 php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data);
1263 }
1264
1265 if (lbuf) efree(lbuf);
1266 if (abuf) efree(abuf);
1267 if (array_index) efree(array_index);
1268 zend_hash_destroy(&PG(rfc1867_protected_variables));
1269 zend_llist_destroy(&header);
1270 if (mbuff->boundary_next) efree(mbuff->boundary_next);
1271 if (mbuff->boundary) efree(mbuff->boundary);
1272 if (mbuff->buffer) efree(mbuff->buffer);
1273 if (mbuff) efree(mbuff);
1274 }
1275 /* }}} */
1276
1277 SAPI_API void php_rfc1867_set_multibyte_callbacks(
1278 php_rfc1867_encoding_translation_t encoding_translation,
1279 php_rfc1867_get_detect_order_t get_detect_order,
1280 php_rfc1867_set_input_encoding_t set_input_encoding,
1281 php_rfc1867_getword_t getword,
1282 php_rfc1867_getword_conf_t getword_conf,
1283 php_rfc1867_basename_t basename) /* {{{ */
1284 {
1285 php_rfc1867_encoding_translation = encoding_translation;
1286 php_rfc1867_get_detect_order = get_detect_order;
1287 php_rfc1867_set_input_encoding = set_input_encoding;
1288 php_rfc1867_getword = getword;
1289 php_rfc1867_getword_conf = getword_conf;
1290 php_rfc1867_basename = basename;
1291 }
1292 /* }}} */
1293
