1 /*
2 +----------------------------------------------------------------------+
3 | PHP Version 7 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 1997-2018 The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Authors: Rasmus Lerdorf <rasmus@php.net> |
16 | Jani Taskinen <jani@php.net> |
17 +----------------------------------------------------------------------+
18 */
19
20 /*
21 * This product includes software developed by the Apache Group
22 * for use in the Apache HTTP server project (http://www.apache.org/).
23 *
24 */
25
26 #include <stdio.h>
27 #include "php.h"
28 #include "php_open_temporary_file.h"
29 #include "zend_globals.h"
30 #include "php_globals.h"
31 #include "php_variables.h"
32 #include "rfc1867.h"
33 #include "ext/standard/php_string.h"
34 #include "zend_smart_string.h"
35
36 #if defined(PHP_WIN32) && !defined(HAVE_ATOLL)
37 # define atoll(s) _atoi64(s)
38 # define HAVE_ATOLL 1
39 #endif
40
41 #ifndef DEBUG_FILE_UPLOAD
42 # define DEBUG_FILE_UPLOAD 0
43 #endif
44
dummy_encoding_translation(void)45 static int dummy_encoding_translation(void)
46 {
47 return 0;
48 }
49
50 static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop);
51 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str);
52
53 static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
54 static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
55 static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
56 static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
57 static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
58 static php_rfc1867_basename_t php_rfc1867_basename = NULL;
59
60 PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
61
62 static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection);
63
64 /* The longest property name we use in an uploaded file array */
65 #define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
66
67 /* The longest anonymous name */
68 #define MAX_SIZE_ANONNAME 33
69
70 /* Errors */
71 #define UPLOAD_ERROR_OK 0 /* File upload successful */
72 #define UPLOAD_ERROR_A 1 /* Uploaded file exceeded upload_max_filesize */
73 #define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
74 #define UPLOAD_ERROR_C 3 /* Partially uploaded */
75 #define UPLOAD_ERROR_D 4 /* No file uploaded */
76 #define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
77 #define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
78 #define UPLOAD_ERROR_X 8 /* File upload stopped by extension */
79
php_rfc1867_register_constants(void)80 void php_rfc1867_register_constants(void) /* {{{ */
81 {
82 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK", UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT);
83 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE", UPLOAD_ERROR_A, CONST_CS | CONST_PERSISTENT);
84 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
85 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
86 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
87 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
88 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
89 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
90 }
91 /* }}} */
92
normalize_protected_variable(char * varname)93 static void normalize_protected_variable(char *varname) /* {{{ */
94 {
95 char *s = varname, *index = NULL, *indexend = NULL, *p;
96
97 /* overjump leading space */
98 while (*s == ' ') {
99 s++;
100 }
101
102 /* and remove it */
103 if (s != varname) {
104 memmove(varname, s, strlen(s)+1);
105 }
106
107 for (p = varname; *p && *p != '['; p++) {
108 switch(*p) {
109 case ' ':
110 case '.':
111 *p = '_';
112 break;
113 }
114 }
115
116 /* find index */
117 index = strchr(varname, '[');
118 if (index) {
119 index++;
120 s = index;
121 } else {
122 return;
123 }
124
125 /* done? */
126 while (index) {
127 while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
128 index++;
129 }
130 indexend = strchr(index, ']');
131 indexend = indexend ? indexend + 1 : index + strlen(index);
132
133 if (s != index) {
134 memmove(s, index, strlen(index)+1);
135 s += indexend-index;
136 } else {
137 s = indexend;
138 }
139
140 if (*s == '[') {
141 s++;
142 index = s;
143 } else {
144 index = NULL;
145 }
146 }
147 *s = '\0';
148 }
149 /* }}} */
150
add_protected_variable(char * varname)151 static void add_protected_variable(char *varname) /* {{{ */
152 {
153 normalize_protected_variable(varname);
154 zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname));
155 }
156 /* }}} */
157
is_protected_variable(char * varname)158 static zend_bool is_protected_variable(char *varname) /* {{{ */
159 {
160 normalize_protected_variable(varname);
161 return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname));
162 }
163 /* }}} */
164
safe_php_register_variable(char * var,char * strval,size_t val_len,zval * track_vars_array,zend_bool override_protection)165 static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection) /* {{{ */
166 {
167 if (override_protection || !is_protected_variable(var)) {
168 php_register_variable_safe(var, strval, val_len, track_vars_array);
169 }
170 }
171 /* }}} */
172
safe_php_register_variable_ex(char * var,zval * val,zval * track_vars_array,zend_bool override_protection)173 static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection) /* {{{ */
174 {
175 if (override_protection || !is_protected_variable(var)) {
176 php_register_variable_ex(var, val, track_vars_array);
177 }
178 }
179 /* }}} */
180
register_http_post_files_variable(char * strvar,char * val,zval * http_post_files,zend_bool override_protection)181 static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
182 {
183 safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection);
184 }
185 /* }}} */
186
register_http_post_files_variable_ex(char * var,zval * val,zval * http_post_files,zend_bool override_protection)187 static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
188 {
189 safe_php_register_variable_ex(var, val, http_post_files, override_protection);
190 }
191 /* }}} */
192
unlink_filename(zval * el)193 static int unlink_filename(zval *el) /* {{{ */
194 {
195 zend_string *filename = Z_STR_P(el);
196 VCWD_UNLINK(ZSTR_VAL(filename));
197 return 0;
198 }
199 /* }}} */
200
201
free_filename(zval * el)202 static void free_filename(zval *el) {
203 zend_string *filename = Z_STR_P(el);
204 zend_string_release_ex(filename, 0);
205 }
206
destroy_uploaded_files_hash(void)207 PHPAPI void destroy_uploaded_files_hash(void) /* {{{ */
208 {
209 zend_hash_apply(SG(rfc1867_uploaded_files), unlink_filename);
210 zend_hash_destroy(SG(rfc1867_uploaded_files));
211 FREE_HASHTABLE(SG(rfc1867_uploaded_files));
212 }
213 /* }}} */
214
215 /* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
216
217 #define FILLUNIT (1024 * 5)
218
219 typedef struct {
220
221 /* read buffer */
222 char *buffer;
223 char *buf_begin;
224 int bufsize;
225 int bytes_in_buffer;
226
227 /* boundary info */
228 char *boundary;
229 char *boundary_next;
230 int boundary_next_len;
231
232 const zend_encoding *input_encoding;
233 const zend_encoding **detect_order;
234 size_t detect_order_size;
235 } multipart_buffer;
236
237 typedef struct {
238 char *key;
239 char *value;
240 } mime_header_entry;
241
242 /*
243 * Fill up the buffer with client data.
244 * Returns number of bytes added to buffer.
245 */
fill_buffer(multipart_buffer * self)246 static int fill_buffer(multipart_buffer *self)
247 {
248 int bytes_to_read, total_read = 0, actual_read = 0;
249
250 /* shift the existing data if necessary */
251 if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
252 memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
253 }
254
255 self->buf_begin = self->buffer;
256
257 /* calculate the free space in the buffer */
258 bytes_to_read = self->bufsize - self->bytes_in_buffer;
259
260 /* read the required number of bytes */
261 while (bytes_to_read > 0) {
262
263 char *buf = self->buffer + self->bytes_in_buffer;
264
265 actual_read = (int)sapi_module.read_post(buf, bytes_to_read);
266
267 /* update the buffer length */
268 if (actual_read > 0) {
269 self->bytes_in_buffer += actual_read;
270 SG(read_post_bytes) += actual_read;
271 total_read += actual_read;
272 bytes_to_read -= actual_read;
273 } else {
274 break;
275 }
276 }
277
278 return total_read;
279 }
280
281 /* eof if we are out of bytes, or if we hit the final boundary */
multipart_buffer_eof(multipart_buffer * self)282 static int multipart_buffer_eof(multipart_buffer *self)
283 {
284 if ( (self->bytes_in_buffer == 0 && fill_buffer(self) < 1) ) {
285 return 1;
286 } else {
287 return 0;
288 }
289 }
290
291 /* create new multipart_buffer structure */
multipart_buffer_new(char * boundary,int boundary_len)292 static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len)
293 {
294 multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
295
296 int minsize = boundary_len + 6;
297 if (minsize < FILLUNIT) minsize = FILLUNIT;
298
299 self->buffer = (char *) ecalloc(1, minsize + 1);
300 self->bufsize = minsize;
301
302 spprintf(&self->boundary, 0, "--%s", boundary);
303
304 self->boundary_next_len = (int)spprintf(&self->boundary_next, 0, "\n--%s", boundary);
305
306 self->buf_begin = self->buffer;
307 self->bytes_in_buffer = 0;
308
309 if (php_rfc1867_encoding_translation()) {
310 php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size);
311 } else {
312 self->detect_order = NULL;
313 self->detect_order_size = 0;
314 }
315
316 self->input_encoding = NULL;
317
318 return self;
319 }
320
321 /*
322 * Gets the next CRLF terminated line from the input buffer.
323 * If it doesn't find a CRLF, and the buffer isn't completely full, returns
324 * NULL; otherwise, returns the beginning of the null-terminated line,
325 * minus the CRLF.
326 *
327 * Note that we really just look for LF terminated lines. This works
328 * around a bug in internet explorer for the macintosh which sends mime
329 * boundaries that are only LF terminated when you use an image submit
330 * button in a multipart/form-data form.
331 */
next_line(multipart_buffer * self)332 static char *next_line(multipart_buffer *self)
333 {
334 /* look for LF in the data */
335 char* line = self->buf_begin;
336 char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
337
338 if (ptr) { /* LF found */
339
340 /* terminate the string, remove CRLF */
341 if ((ptr - line) > 0 && *(ptr-1) == '\r') {
342 *(ptr-1) = 0;
343 } else {
344 *ptr = 0;
345 }
346
347 /* bump the pointer */
348 self->buf_begin = ptr + 1;
349 self->bytes_in_buffer -= (self->buf_begin - line);
350
351 } else { /* no LF found */
352
353 /* buffer isn't completely full, fail */
354 if (self->bytes_in_buffer < self->bufsize) {
355 return NULL;
356 }
357 /* return entire buffer as a partial line */
358 line[self->bufsize] = 0;
359 self->buf_begin = ptr;
360 self->bytes_in_buffer = 0;
361 }
362
363 return line;
364 }
365
366 /* Returns the next CRLF terminated line from the client */
get_line(multipart_buffer * self)367 static char *get_line(multipart_buffer *self)
368 {
369 char* ptr = next_line(self);
370
371 if (!ptr) {
372 fill_buffer(self);
373 ptr = next_line(self);
374 }
375
376 return ptr;
377 }
378
379 /* Free header entry */
php_free_hdr_entry(mime_header_entry * h)380 static void php_free_hdr_entry(mime_header_entry *h)
381 {
382 if (h->key) {
383 efree(h->key);
384 }
385 if (h->value) {
386 efree(h->value);
387 }
388 }
389
390 /* finds a boundary */
find_boundary(multipart_buffer * self,char * boundary)391 static int find_boundary(multipart_buffer *self, char *boundary)
392 {
393 char *line;
394
395 /* loop through lines */
396 while( (line = get_line(self)) )
397 {
398 /* finished if we found the boundary */
399 if (!strcmp(line, boundary)) {
400 return 1;
401 }
402 }
403
404 /* didn't find the boundary */
405 return 0;
406 }
407
408 /* parse headers */
multipart_buffer_headers(multipart_buffer * self,zend_llist * header)409 static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
410 {
411 char *line;
412 mime_header_entry entry = {0};
413 smart_string buf_value = {0};
414 char *key = NULL;
415
416 /* didn't find boundary, abort */
417 if (!find_boundary(self, self->boundary)) {
418 return 0;
419 }
420
421 /* get lines of text, or CRLF_CRLF */
422
423 while ((line = get_line(self)) && line[0] != '\0') {
424 /* add header to table */
425 char *value = NULL;
426
427 if (php_rfc1867_encoding_translation()) {
428 self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);
429 }
430
431 /* space in the beginning means same header */
432 if (!isspace(line[0])) {
433 value = strchr(line, ':');
434 }
435
436 if (value) {
437 if (buf_value.c && key) {
438 /* new entry, add the old one to the list */
439 smart_string_0(&buf_value);
440 entry.key = key;
441 entry.value = buf_value.c;
442 zend_llist_add_element(header, &entry);
443 buf_value.c = NULL;
444 key = NULL;
445 }
446
447 *value = '\0';
448 do { value++; } while (isspace(*value));
449
450 key = estrdup(line);
451 smart_string_appends(&buf_value, value);
452 } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
453 smart_string_appends(&buf_value, line);
454 } else {
455 continue;
456 }
457 }
458
459 if (buf_value.c && key) {
460 /* add the last one to the list */
461 smart_string_0(&buf_value);
462 entry.key = key;
463 entry.value = buf_value.c;
464 zend_llist_add_element(header, &entry);
465 }
466
467 return 1;
468 }
469
php_mime_get_hdr_value(zend_llist header,char * key)470 static char *php_mime_get_hdr_value(zend_llist header, char *key)
471 {
472 mime_header_entry *entry;
473
474 if (key == NULL) {
475 return NULL;
476 }
477
478 entry = zend_llist_get_first(&header);
479 while (entry) {
480 if (!strcasecmp(entry->key, key)) {
481 return entry->value;
482 }
483 entry = zend_llist_get_next(&header);
484 }
485
486 return NULL;
487 }
488
php_ap_getword(const zend_encoding * encoding,char ** line,char stop)489 static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop)
490 {
491 char *pos = *line, quote;
492 char *res;
493
494 while (*pos && *pos != stop) {
495 if ((quote = *pos) == '"' || quote == '\'') {
496 ++pos;
497 while (*pos && *pos != quote) {
498 if (*pos == '\\' && pos[1] && pos[1] == quote) {
499 pos += 2;
500 } else {
501 ++pos;
502 }
503 }
504 if (*pos) {
505 ++pos;
506 }
507 } else ++pos;
508 }
509 if (*pos == '\0') {
510 res = estrdup(*line);
511 *line += strlen(*line);
512 return res;
513 }
514
515 res = estrndup(*line, pos - *line);
516
517 while (*pos == stop) {
518 ++pos;
519 }
520
521 *line = pos;
522 return res;
523 }
524
substring_conf(char * start,int len,char quote)525 static char *substring_conf(char *start, int len, char quote)
526 {
527 char *result = emalloc(len + 1);
528 char *resp = result;
529 int i;
530
531 for (i = 0; i < len && start[i] != quote; ++i) {
532 if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
533 *resp++ = start[++i];
534 } else {
535 *resp++ = start[i];
536 }
537 }
538
539 *resp = '\0';
540 return result;
541 }
542
php_ap_getword_conf(const zend_encoding * encoding,char * str)543 static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
544 {
545 while (*str && isspace(*str)) {
546 ++str;
547 }
548
549 if (!*str) {
550 return estrdup("");
551 }
552
553 if (*str == '"' || *str == '\'') {
554 char quote = *str;
555
556 str++;
557 return substring_conf(str, (int)strlen(str), quote);
558 } else {
559 char *strend = str;
560
561 while (*strend && !isspace(*strend)) {
562 ++strend;
563 }
564 return substring_conf(str, strend - str, 0);
565 }
566 }
567
php_ap_basename(const zend_encoding * encoding,char * path)568 static char *php_ap_basename(const zend_encoding *encoding, char *path)
569 {
570 char *s = strrchr(path, '\\');
571 char *s2 = strrchr(path, '/');
572
573 if (s && s2) {
574 if (s > s2) {
575 ++s;
576 } else {
577 s = ++s2;
578 }
579 return s;
580 } else if (s) {
581 return ++s;
582 } else if (s2) {
583 return ++s2;
584 }
585 return path;
586 }
587
588 /*
589 * Search for a string in a fixed-length byte string.
590 * If partial is true, partial matches are allowed at the end of the buffer.
591 * Returns NULL if not found, or a pointer to the start of the first match.
592 */
php_ap_memstr(char * haystack,int haystacklen,char * needle,int needlen,int partial)593 static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
594 {
595 int len = haystacklen;
596 char *ptr = haystack;
597
598 /* iterate through first character matches */
599 while( (ptr = memchr(ptr, needle[0], len)) ) {
600
601 /* calculate length after match */
602 len = haystacklen - (ptr - (char *)haystack);
603
604 /* done if matches up to capacity of buffer */
605 if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
606 break;
607 }
608
609 /* next character */
610 ptr++; len--;
611 }
612
613 return ptr;
614 }
615
616 /* read until a boundary condition */
multipart_buffer_read(multipart_buffer * self,char * buf,size_t bytes,int * end)617 static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
618 {
619 size_t len, max;
620 char *bound;
621
622 /* fill buffer if needed */
623 if (bytes > (size_t)self->bytes_in_buffer) {
624 fill_buffer(self);
625 }
626
627 /* look for a potential boundary match, only read data up to that point */
628 if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
629 max = bound - self->buf_begin;
630 if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
631 *end = 1;
632 }
633 } else {
634 max = self->bytes_in_buffer;
635 }
636
637 /* maximum number of bytes we are reading */
638 len = max < bytes-1 ? max : bytes-1;
639
640 /* if we read any data... */
641 if (len > 0) {
642
643 /* copy the data */
644 memcpy(buf, self->buf_begin, len);
645 buf[len] = 0;
646
647 if (bound && len > 0 && buf[len-1] == '\r') {
648 buf[--len] = 0;
649 }
650
651 /* update the buffer */
652 self->bytes_in_buffer -= (int)len;
653 self->buf_begin += len;
654 }
655
656 return len;
657 }
658
659 /*
660 XXX: this is horrible memory-usage-wise, but we only expect
661 to do this on small pieces of form data.
662 */
multipart_buffer_read_body(multipart_buffer * self,size_t * len)663 static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
664 {
665 char buf[FILLUNIT], *out=NULL;
666 size_t total_bytes=0, read_bytes=0;
667
668 while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
669 out = erealloc(out, total_bytes + read_bytes + 1);
670 memcpy(out + total_bytes, buf, read_bytes);
671 total_bytes += read_bytes;
672 }
673
674 if (out) {
675 out[total_bytes] = '\0';
676 }
677 *len = total_bytes;
678
679 return out;
680 }
681 /* }}} */
682
683 /*
684 * The combined READER/HANDLER
685 *
686 */
687
SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)688 SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
689 {
690 char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
691 char *lbuf = NULL, *abuf = NULL;
692 zend_string *temp_filename = NULL;
693 int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
694 size_t array_len = 0;
695 int64_t total_bytes = 0, max_file_size = 0;
696 int skip_upload = 0, anonindex = 0, is_anonymous;
697 HashTable *uploaded_files = NULL;
698 multipart_buffer *mbuff;
699 zval *array_ptr = (zval *) arg;
700 int fd = -1;
701 zend_llist header;
702 void *event_extra_data = NULL;
703 unsigned int llen = 0;
704 int upload_cnt = INI_INT("max_file_uploads");
705 const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
706 php_rfc1867_getword_t getword;
707 php_rfc1867_getword_conf_t getword_conf;
708 php_rfc1867_basename_t _basename;
709 zend_long count = 0;
710
711 if (php_rfc1867_encoding_translation() && internal_encoding) {
712 getword = php_rfc1867_getword;
713 getword_conf = php_rfc1867_getword_conf;
714 _basename = php_rfc1867_basename;
715 } else {
716 getword = php_ap_getword;
717 getword_conf = php_ap_getword_conf;
718 _basename = php_ap_basename;
719 }
720
721 if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
722 sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size));
723 return;
724 }
725
726 /* Get the boundary */
727 boundary = strstr(content_type_dup, "boundary");
728 if (!boundary) {
729 int content_type_len = (int)strlen(content_type_dup);
730 char *content_type_lcase = estrndup(content_type_dup, content_type_len);
731
732 php_strtolower(content_type_lcase, content_type_len);
733 boundary = strstr(content_type_lcase, "boundary");
734 if (boundary) {
735 boundary = content_type_dup + (boundary - content_type_lcase);
736 }
737 efree(content_type_lcase);
738 }
739
740 if (!boundary || !(boundary = strchr(boundary, '='))) {
741 sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
742 return;
743 }
744
745 boundary++;
746 boundary_len = (int)strlen(boundary);
747
748 if (boundary[0] == '"') {
749 boundary++;
750 boundary_end = strchr(boundary, '"');
751 if (!boundary_end) {
752 sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
753 return;
754 }
755 } else {
756 /* search for the end of the boundary */
757 boundary_end = strpbrk(boundary, ",;");
758 }
759 if (boundary_end) {
760 boundary_end[0] = '\0';
761 boundary_len = boundary_end-boundary;
762 }
763
764 /* Initialize the buffer */
765 if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
766 sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
767 return;
768 }
769
770 /* Initialize $_FILES[] */
771 zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);
772
773 ALLOC_HASHTABLE(uploaded_files);
774 zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
775 SG(rfc1867_uploaded_files) = uploaded_files;
776
777 if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) {
778 /* php_auto_globals_create_files() might have already done that */
779 array_init(&PG(http_globals)[TRACK_VARS_FILES]);
780 }
781
782 zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
783
784 if (php_rfc1867_callback != NULL) {
785 multipart_event_start event_start;
786
787 event_start.content_length = SG(request_info).content_length;
788 if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) {
789 goto fileupload_done;
790 }
791 }
792
793 while (!multipart_buffer_eof(mbuff))
794 {
795 char buff[FILLUNIT];
796 char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
797 size_t blen = 0, wlen = 0;
798 zend_off_t offset;
799
800 zend_llist_clean(&header);
801
802 if (!multipart_buffer_headers(mbuff, &header)) {
803 goto fileupload_done;
804 }
805
806 if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
807 char *pair = NULL;
808 int end = 0;
809
810 while (isspace(*cd)) {
811 ++cd;
812 }
813
814 while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';')))
815 {
816 char *key = NULL, *word = pair;
817
818 while (isspace(*cd)) {
819 ++cd;
820 }
821
822 if (strchr(pair, '=')) {
823 key = getword(mbuff->input_encoding, &pair, '=');
824
825 if (!strcasecmp(key, "name")) {
826 if (param) {
827 efree(param);
828 }
829 param = getword_conf(mbuff->input_encoding, pair);
830 if (mbuff->input_encoding && internal_encoding) {
831 unsigned char *new_param;
832 size_t new_param_len;
833 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) {
834 efree(param);
835 param = (char *)new_param;
836 }
837 }
838 } else if (!strcasecmp(key, "filename")) {
839 if (filename) {
840 efree(filename);
841 }
842 filename = getword_conf(mbuff->input_encoding, pair);
843 if (mbuff->input_encoding && internal_encoding) {
844 unsigned char *new_filename;
845 size_t new_filename_len;
846 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) {
847 efree(filename);
848 filename = (char *)new_filename;
849 }
850 }
851 }
852 }
853 if (key) {
854 efree(key);
855 }
856 efree(word);
857 }
858
859 /* Normal form variable, safe to read all data into memory */
860 if (!filename && param) {
861 size_t value_len;
862 char *value = multipart_buffer_read_body(mbuff, &value_len);
863 size_t new_val_len; /* Dummy variable */
864
865 if (!value) {
866 value = estrdup("");
867 value_len = 0;
868 }
869
870 if (mbuff->input_encoding && internal_encoding) {
871 unsigned char *new_value;
872 size_t new_value_len;
873 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) {
874 efree(value);
875 value = (char *)new_value;
876 value_len = new_value_len;
877 }
878 }
879
880 if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) {
881 if (php_rfc1867_callback != NULL) {
882 multipart_event_formdata event_formdata;
883 size_t newlength = new_val_len;
884
885 event_formdata.post_bytes_processed = SG(read_post_bytes);
886 event_formdata.name = param;
887 event_formdata.value = &value;
888 event_formdata.length = new_val_len;
889 event_formdata.newlength = &newlength;
890 if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) {
891 efree(param);
892 efree(value);
893 continue;
894 }
895 new_val_len = newlength;
896 }
897 safe_php_register_variable(param, value, new_val_len, array_ptr, 0);
898 } else {
899 if (count == PG(max_input_vars) + 1) {
900 php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
901 }
902
903 if (php_rfc1867_callback != NULL) {
904 multipart_event_formdata event_formdata;
905
906 event_formdata.post_bytes_processed = SG(read_post_bytes);
907 event_formdata.name = param;
908 event_formdata.value = &value;
909 event_formdata.length = value_len;
910 event_formdata.newlength = NULL;
911 php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data);
912 }
913 }
914
915 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
916 #ifdef HAVE_ATOLL
917 max_file_size = atoll(value);
918 #else
919 max_file_size = strtoll(value, NULL, 10);
920 #endif
921 }
922
923 efree(param);
924 efree(value);
925 continue;
926 }
927
928 /* If file_uploads=off, skip the file part */
929 if (!PG(file_uploads)) {
930 skip_upload = 1;
931 } else if (upload_cnt <= 0) {
932 skip_upload = 1;
933 sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
934 }
935
936 /* Return with an error if the posted data is garbled */
937 if (!param && !filename) {
938 sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
939 goto fileupload_done;
940 }
941
942 if (!param) {
943 is_anonymous = 1;
944 param = emalloc(MAX_SIZE_ANONNAME);
945 snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
946 } else {
947 is_anonymous = 0;
948 }
949
950 /* New Rule: never repair potential malicious user input */
951 if (!skip_upload) {
952 long c = 0;
953 tmp = param;
954
955 while (*tmp) {
956 if (*tmp == '[') {
957 c++;
958 } else if (*tmp == ']') {
959 c--;
960 if (tmp[1] && tmp[1] != '[') {
961 skip_upload = 1;
962 break;
963 }
964 }
965 if (c < 0) {
966 skip_upload = 1;
967 break;
968 }
969 tmp++;
970 }
971 /* Brackets should always be closed */
972 if(c != 0) {
973 skip_upload = 1;
974 }
975 }
976
977 total_bytes = cancel_upload = 0;
978 temp_filename = NULL;
979 fd = -1;
980
981 if (!skip_upload && php_rfc1867_callback != NULL) {
982 multipart_event_file_start event_file_start;
983
984 event_file_start.post_bytes_processed = SG(read_post_bytes);
985 event_file_start.name = param;
986 event_file_start.filename = &filename;
987 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) {
988 temp_filename = NULL;
989 efree(param);
990 efree(filename);
991 continue;
992 }
993 }
994
995 if (skip_upload) {
996 efree(param);
997 efree(filename);
998 continue;
999 }
1000
1001 if (filename[0] == '\0') {
1002 #if DEBUG_FILE_UPLOAD
1003 sapi_module.sapi_error(E_NOTICE, "No file uploaded");
1004 #endif
1005 cancel_upload = UPLOAD_ERROR_D;
1006 }
1007
1008 offset = 0;
1009 end = 0;
1010
1011 if (!cancel_upload) {
1012 /* only bother to open temp file if we have data */
1013 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1014 #if DEBUG_FILE_UPLOAD
1015 if (blen > 0) {
1016 #else
1017 /* in non-debug mode we have no problem with 0-length files */
1018 {
1019 #endif
1020 fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1);
1021 upload_cnt--;
1022 if (fd == -1) {
1023 sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1024 cancel_upload = UPLOAD_ERROR_E;
1025 }
1026 }
1027 }
1028
1029 while (!cancel_upload && (blen > 0))
1030 {
1031 if (php_rfc1867_callback != NULL) {
1032 multipart_event_file_data event_file_data;
1033
1034 event_file_data.post_bytes_processed = SG(read_post_bytes);
1035 event_file_data.offset = offset;
1036 event_file_data.data = buff;
1037 event_file_data.length = blen;
1038 event_file_data.newlength = &blen;
1039 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) {
1040 cancel_upload = UPLOAD_ERROR_X;
1041 continue;
1042 }
1043 }
1044
1045 if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) {
1046 #if DEBUG_FILE_UPLOAD
1047 sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1048 #endif
1049 cancel_upload = UPLOAD_ERROR_A;
1050 } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
1051 #if DEBUG_FILE_UPLOAD
1052 sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %" PRId64 " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1053 #endif
1054 cancel_upload = UPLOAD_ERROR_B;
1055 } else if (blen > 0) {
1056 #ifdef PHP_WIN32
1057 wlen = write(fd, buff, (unsigned int)blen);
1058 #else
1059 wlen = write(fd, buff, blen);
1060 #endif
1061
1062 if (wlen == (size_t)-1) {
1063 /* write failed */
1064 #if DEBUG_FILE_UPLOAD
1065 sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1066 #endif
1067 cancel_upload = UPLOAD_ERROR_F;
1068 } else if (wlen < blen) {
1069 #if DEBUG_FILE_UPLOAD
1070 sapi_module.sapi_error(E_NOTICE, "Only %zd bytes were written, expected to write %zd", wlen, blen);
1071 #endif
1072 cancel_upload = UPLOAD_ERROR_F;
1073 } else {
1074 total_bytes += wlen;
1075 }
1076 offset += wlen;
1077 }
1078
1079 /* read data for next iteration */
1080 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1081 }
1082
1083 if (fd != -1) { /* may not be initialized if file could not be created */
1084 close(fd);
1085 }
1086
1087 if (!cancel_upload && !end) {
1088 #if DEBUG_FILE_UPLOAD
1089 sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1090 #endif
1091 cancel_upload = UPLOAD_ERROR_C;
1092 }
1093 #if DEBUG_FILE_UPLOAD
1094 if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1095 sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1096 cancel_upload = 5;
1097 }
1098 #endif
1099 if (php_rfc1867_callback != NULL) {
1100 multipart_event_file_end event_file_end;
1101
1102 event_file_end.post_bytes_processed = SG(read_post_bytes);
1103 event_file_end.temp_filename = temp_filename ? ZSTR_VAL(temp_filename) : NULL;
1104 event_file_end.cancel_upload = cancel_upload;
1105 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data) == FAILURE) {
1106 cancel_upload = UPLOAD_ERROR_X;
1107 }
1108 }
1109
1110 if (cancel_upload) {
1111 if (temp_filename) {
1112 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
1113 unlink(ZSTR_VAL(temp_filename));
1114 }
1115 zend_string_release_ex(temp_filename, 0);
1116 }
1117 temp_filename = NULL;
1118 } else {
1119 zend_hash_add_ptr(SG(rfc1867_uploaded_files), temp_filename, temp_filename);
1120 }
1121
1122 /* is_arr_upload is true when name of file upload field
1123 * ends in [.*]
1124 * start_arr is set to point to 1st [ */
1125 is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1126
1127 if (is_arr_upload) {
1128 array_len = strlen(start_arr);
1129 if (array_index) {
1130 efree(array_index);
1131 }
1132 array_index = estrndup(start_arr + 1, array_len - 2);
1133 }
1134
1135 /* Add $foo_name */
1136 if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1137 llen = (int)strlen(param);
1138 lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1139 llen += MAX_SIZE_OF_INDEX + 1;
1140 }
1141
1142 if (is_arr_upload) {
1143 if (abuf) efree(abuf);
1144 abuf = estrndup(param, strlen(param)-array_len);
1145 snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1146 } else {
1147 snprintf(lbuf, llen, "%s_name", param);
1148 }
1149
1150 /* The \ check should technically be needed for win32 systems only where
1151 * it is a valid path separator. However, IE in all it's wisdom always sends
1152 * the full path of the file on the user's filesystem, which means that unless
1153 * the user does basename() they get a bogus file name. Until IE's user base drops
1154 * to nill or problem is fixed this code must remain enabled for all systems. */
1155 s = _basename(internal_encoding, filename);
1156 if (!s) {
1157 s = filename;
1158 }
1159
1160 if (!is_anonymous) {
1161 safe_php_register_variable(lbuf, s, strlen(s), NULL, 0);
1162 }
1163
1164 /* Add $foo[name] */
1165 if (is_arr_upload) {
1166 snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1167 } else {
1168 snprintf(lbuf, llen, "%s[name]", param);
1169 }
1170 register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0);
1171 efree(filename);
1172 s = NULL;
1173
1174 /* Possible Content-Type: */
1175 if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1176 cd = "";
1177 } else {
1178 /* fix for Opera 6.01 */
1179 s = strchr(cd, ';');
1180 if (s != NULL) {
1181 *s = '\0';
1182 }
1183 }
1184
1185 /* Add $foo_type */
1186 if (is_arr_upload) {
1187 snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index);
1188 } else {
1189 snprintf(lbuf, llen, "%s_type", param);
1190 }
1191 if (!is_anonymous) {
1192 safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0);
1193 }
1194
1195 /* Add $foo[type] */
1196 if (is_arr_upload) {
1197 snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1198 } else {
1199 snprintf(lbuf, llen, "%s[type]", param);
1200 }
1201 register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0);
1202
1203 /* Restore Content-Type Header */
1204 if (s != NULL) {
1205 *s = ';';
1206 }
1207 s = "";
1208
1209 {
1210 /* store temp_filename as-is (in case upload_tmp_dir
1211 * contains escapeable characters. escape only the variable name.) */
1212 zval zfilename;
1213
1214 /* Initialize variables */
1215 add_protected_variable(param);
1216
1217 /* if param is of form xxx[.*] this will cut it to xxx */
1218 if (!is_anonymous) {
1219 if (temp_filename) {
1220 ZVAL_STR_COPY(&zfilename, temp_filename);
1221 } else {
1222 ZVAL_EMPTY_STRING(&zfilename);
1223 }
1224 safe_php_register_variable_ex(param, &zfilename, NULL, 1);
1225 }
1226
1227 /* Add $foo[tmp_name] */
1228 if (is_arr_upload) {
1229 snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1230 } else {
1231 snprintf(lbuf, llen, "%s[tmp_name]", param);
1232 }
1233 add_protected_variable(lbuf);
1234 if (temp_filename) {
1235 ZVAL_STR_COPY(&zfilename, temp_filename);
1236 } else {
1237 ZVAL_EMPTY_STRING(&zfilename);
1238 }
1239 register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1);
1240 }
1241
1242 {
1243 zval file_size, error_type;
1244 int size_overflow = 0;
1245 char file_size_buf[65];
1246
1247 ZVAL_LONG(&error_type, cancel_upload);
1248
1249 /* Add $foo[error] */
1250 if (cancel_upload) {
1251 ZVAL_LONG(&file_size, 0);
1252 } else {
1253 if (total_bytes > ZEND_LONG_MAX) {
1254 #ifdef PHP_WIN32
1255 if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1256 file_size_buf[0] = '0';
1257 file_size_buf[1] = '\0';
1258 }
1259 #else
1260 {
1261 int __len = snprintf(file_size_buf, 65, "%" PRId64, total_bytes);
1262 file_size_buf[__len] = '\0';
1263 }
1264 #endif
1265 size_overflow = 1;
1266
1267 } else {
1268 ZVAL_LONG(&file_size, total_bytes);
1269 }
1270 }
1271
1272 if (is_arr_upload) {
1273 snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1274 } else {
1275 snprintf(lbuf, llen, "%s[error]", param);
1276 }
1277 register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0);
1278
1279 /* Add $foo_size */
1280 if (is_arr_upload) {
1281 snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index);
1282 } else {
1283 snprintf(lbuf, llen, "%s_size", param);
1284 }
1285 if (!is_anonymous) {
1286 if (size_overflow) {
1287 ZVAL_STRING(&file_size, file_size_buf);
1288 }
1289 safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow);
1290 }
1291
1292 /* Add $foo[size] */
1293 if (is_arr_upload) {
1294 snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1295 } else {
1296 snprintf(lbuf, llen, "%s[size]", param);
1297 }
1298 if (size_overflow) {
1299 ZVAL_STRING(&file_size, file_size_buf);
1300 }
1301 register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow);
1302 }
1303 efree(param);
1304 }
1305 }
1306
1307 fileupload_done:
1308 if (php_rfc1867_callback != NULL) {
1309 multipart_event_end event_end;
1310
1311 event_end.post_bytes_processed = SG(read_post_bytes);
1312 php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data);
1313 }
1314
1315 if (lbuf) efree(lbuf);
1316 if (abuf) efree(abuf);
1317 if (array_index) efree(array_index);
1318 zend_hash_destroy(&PG(rfc1867_protected_variables));
1319 zend_llist_destroy(&header);
1320 if (mbuff->boundary_next) efree(mbuff->boundary_next);
1321 if (mbuff->boundary) efree(mbuff->boundary);
1322 if (mbuff->buffer) efree(mbuff->buffer);
1323 if (mbuff) efree(mbuff);
1324 }
1325 /* }}} */
1326
1327 SAPI_API void php_rfc1867_set_multibyte_callbacks(
1328 php_rfc1867_encoding_translation_t encoding_translation,
1329 php_rfc1867_get_detect_order_t get_detect_order,
1330 php_rfc1867_set_input_encoding_t set_input_encoding,
1331 php_rfc1867_getword_t getword,
1332 php_rfc1867_getword_conf_t getword_conf,
1333 php_rfc1867_basename_t basename) /* {{{ */
1334 {
1335 php_rfc1867_encoding_translation = encoding_translation;
1336 php_rfc1867_get_detect_order = get_detect_order;
1337 php_rfc1867_set_input_encoding = set_input_encoding;
1338 php_rfc1867_getword = getword;
1339 php_rfc1867_getword_conf = getword_conf;
1340 php_rfc1867_basename = basename;
1341 }
1342 /* }}} */
1343
1344 /*
1345 * Local variables:
1346 * tab-width: 4
1347 * c-basic-offset: 4
1348 * End:
1349 * vim600: sw=4 ts=4 fdm=marker
1350 * vim<600: sw=4 ts=4
1351 */
1352
