1 | /* |
2 | +----------------------------------------------------------------------+ |
3 | | PHP Version 5 | |
4 | +----------------------------------------------------------------------+ |
5 | | Copyright (c) 1997-2015 The PHP Group | |
6 | +----------------------------------------------------------------------+ |
7 | | This source file is subject to version 3.01 of the PHP license, | |
8 | | that is bundled with this package in the file LICENSE, and is | |
9 | | available through the world-wide-web at the following url: | |
10 | | http://www.php.net/license/3_01.txt | |
11 | | If you did not receive a copy of the PHP license and are unable to | |
12 | | obtain it through the world-wide-web, please send a note to | |
13 | | license@php.net so we can mail you a copy immediately. | |
14 | +----------------------------------------------------------------------+ |
15 | | Authors: Rasmus Lerdorf <rasmus@php.net> | |
16 | | Jani Taskinen <jani@php.net> | |
17 | +----------------------------------------------------------------------+ |
18 | */ |
19 | |
20 | /* $Id$ */ |
21 | |
22 | /* |
23 | * This product includes software developed by the Apache Group |
24 | * for use in the Apache HTTP server project (http://www.apache.org/). |
25 | * |
26 | */ |
27 | |
28 | #include <stdio.h> |
29 | #include "php.h" |
30 | #include "php_open_temporary_file.h" |
31 | #include "zend_globals.h" |
32 | #include "php_globals.h" |
33 | #include "php_variables.h" |
34 | #include "rfc1867.h" |
35 | #include "ext/standard/php_string.h" |
36 | #include "ext/standard/php_smart_str.h" |
37 | |
38 | #if defined(PHP_WIN32) && !defined(HAVE_ATOLL) |
39 | # define atoll(s) _atoi64(s) |
40 | # define HAVE_ATOLL 1 |
41 | #endif |
42 | |
43 | #define DEBUG_FILE_UPLOAD ZEND_DEBUG |
44 | |
45 | static int dummy_encoding_translation(TSRMLS_D) |
46 | { |
47 | return 0; |
48 | } |
49 | |
50 | static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop TSRMLS_DC); |
51 | static char *php_ap_getword_conf(const zend_encoding *encoding, char *str TSRMLS_DC); |
52 | |
53 | static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation; |
54 | static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL; |
55 | static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL; |
56 | static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword; |
57 | static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf; |
58 | static php_rfc1867_basename_t php_rfc1867_basename = NULL; |
59 | |
60 | PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void ** TSRMLS_DC) = NULL; |
61 | |
62 | static void safe_php_register_variable(char *var, char *strval, int val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC); |
63 | |
64 | /* The longest property name we use in an uploaded file array */ |
65 | #define MAX_SIZE_OF_INDEX sizeof("[tmp_name]") |
66 | |
67 | /* The longest anonymous name */ |
68 | #define MAX_SIZE_ANONNAME 33 |
69 | |
70 | /* Errors */ |
71 | #define UPLOAD_ERROR_OK 0 /* File upload successful */ |
72 | #define UPLOAD_ERROR_A 1 /* Uploaded file exceeded upload_max_filesize */ |
73 | #define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */ |
74 | #define UPLOAD_ERROR_C 3 /* Partially uploaded */ |
75 | #define UPLOAD_ERROR_D 4 /* No file uploaded */ |
76 | #define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */ |
77 | #define UPLOAD_ERROR_F 7 /* Failed to write file to disk */ |
78 | #define UPLOAD_ERROR_X 8 /* File upload stopped by extension */ |
79 | |
80 | void php_rfc1867_register_constants(TSRMLS_D) /* {{{ */ |
81 | { |
82 | REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK" , UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT); |
83 | REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE" , UPLOAD_ERROR_A, CONST_CS | CONST_PERSISTENT); |
84 | REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE" , UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT); |
85 | REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL" , UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT); |
86 | REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE" , UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT); |
87 | REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR" , UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT); |
88 | REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE" , UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT); |
89 | REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION" , UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT); |
90 | } |
91 | /* }}} */ |
92 | |
93 | static void normalize_protected_variable(char *varname TSRMLS_DC) /* {{{ */ |
94 | { |
95 | char *s = varname, *index = NULL, *indexend = NULL, *p; |
96 | |
97 | /* overjump leading space */ |
98 | while (*s == ' ') { |
99 | s++; |
100 | } |
101 | |
102 | /* and remove it */ |
103 | if (s != varname) { |
104 | memmove(varname, s, strlen(s)+1); |
105 | } |
106 | |
107 | for (p = varname; *p && *p != '['; p++) { |
108 | switch(*p) { |
109 | case ' ': |
110 | case '.': |
111 | *p = '_'; |
112 | break; |
113 | } |
114 | } |
115 | |
116 | /* find index */ |
117 | index = strchr(varname, '['); |
118 | if (index) { |
119 | index++; |
120 | s = index; |
121 | } else { |
122 | return; |
123 | } |
124 | |
125 | /* done? */ |
126 | while (index) { |
127 | while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') { |
128 | index++; |
129 | } |
130 | indexend = strchr(index, ']'); |
131 | indexend = indexend ? indexend + 1 : index + strlen(index); |
132 | |
133 | if (s != index) { |
134 | memmove(s, index, strlen(index)+1); |
135 | s += indexend-index; |
136 | } else { |
137 | s = indexend; |
138 | } |
139 | |
140 | if (*s == '[') { |
141 | s++; |
142 | index = s; |
143 | } else { |
144 | index = NULL; |
145 | } |
146 | } |
147 | *s = '\0'; |
148 | } |
149 | /* }}} */ |
150 | |
151 | static void add_protected_variable(char *varname TSRMLS_DC) /* {{{ */ |
152 | { |
153 | int dummy = 1; |
154 | |
155 | normalize_protected_variable(varname TSRMLS_CC); |
156 | zend_hash_add(&PG(rfc1867_protected_variables), varname, strlen(varname)+1, &dummy, sizeof(int), NULL); |
157 | } |
158 | /* }}} */ |
159 | |
160 | static zend_bool is_protected_variable(char *varname TSRMLS_DC) /* {{{ */ |
161 | { |
162 | normalize_protected_variable(varname TSRMLS_CC); |
163 | return zend_hash_exists(&PG(rfc1867_protected_variables), varname, strlen(varname)+1); |
164 | } |
165 | /* }}} */ |
166 | |
167 | static void safe_php_register_variable(char *var, char *strval, int val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC) /* {{{ */ |
168 | { |
169 | if (override_protection || !is_protected_variable(var TSRMLS_CC)) { |
170 | php_register_variable_safe(var, strval, val_len, track_vars_array TSRMLS_CC); |
171 | } |
172 | } |
173 | /* }}} */ |
174 | |
175 | static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection TSRMLS_DC) /* {{{ */ |
176 | { |
177 | if (override_protection || !is_protected_variable(var TSRMLS_CC)) { |
178 | php_register_variable_ex(var, val, track_vars_array TSRMLS_CC); |
179 | } |
180 | } |
181 | /* }}} */ |
182 | |
183 | static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC) /* {{{ */ |
184 | { |
185 | safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection TSRMLS_CC); |
186 | } |
187 | /* }}} */ |
188 | |
189 | static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC) /* {{{ */ |
190 | { |
191 | safe_php_register_variable_ex(var, val, http_post_files, override_protection TSRMLS_CC); |
192 | } |
193 | /* }}} */ |
194 | |
195 | static int unlink_filename(char **filename TSRMLS_DC) /* {{{ */ |
196 | { |
197 | VCWD_UNLINK(*filename); |
198 | return 0; |
199 | } |
200 | /* }}} */ |
201 | |
202 | void destroy_uploaded_files_hash(TSRMLS_D) /* {{{ */ |
203 | { |
204 | zend_hash_apply(SG(rfc1867_uploaded_files), (apply_func_t) unlink_filename TSRMLS_CC); |
205 | zend_hash_destroy(SG(rfc1867_uploaded_files)); |
206 | FREE_HASHTABLE(SG(rfc1867_uploaded_files)); |
207 | } |
208 | /* }}} */ |
209 | |
210 | /* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */ |
211 | |
212 | #define FILLUNIT (1024 * 5) |
213 | |
214 | typedef struct { |
215 | |
216 | /* read buffer */ |
217 | char *buffer; |
218 | char *buf_begin; |
219 | int bufsize; |
220 | int bytes_in_buffer; |
221 | |
222 | /* boundary info */ |
223 | char *boundary; |
224 | char *boundary_next; |
225 | int boundary_next_len; |
226 | |
227 | const zend_encoding *input_encoding; |
228 | const zend_encoding **detect_order; |
229 | size_t detect_order_size; |
230 | } multipart_buffer; |
231 | |
232 | typedef struct { |
233 | char *key; |
234 | char *value; |
235 | } ; |
236 | |
237 | /* |
238 | * Fill up the buffer with client data. |
239 | * Returns number of bytes added to buffer. |
240 | */ |
241 | static int fill_buffer(multipart_buffer *self TSRMLS_DC) |
242 | { |
243 | int bytes_to_read, total_read = 0, actual_read = 0; |
244 | |
245 | /* shift the existing data if necessary */ |
246 | if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) { |
247 | memmove(self->buffer, self->buf_begin, self->bytes_in_buffer); |
248 | } |
249 | |
250 | self->buf_begin = self->buffer; |
251 | |
252 | /* calculate the free space in the buffer */ |
253 | bytes_to_read = self->bufsize - self->bytes_in_buffer; |
254 | |
255 | /* read the required number of bytes */ |
256 | while (bytes_to_read > 0) { |
257 | |
258 | char *buf = self->buffer + self->bytes_in_buffer; |
259 | |
260 | actual_read = sapi_module.read_post(buf, bytes_to_read TSRMLS_CC); |
261 | |
262 | /* update the buffer length */ |
263 | if (actual_read > 0) { |
264 | self->bytes_in_buffer += actual_read; |
265 | SG(read_post_bytes) += actual_read; |
266 | total_read += actual_read; |
267 | bytes_to_read -= actual_read; |
268 | } else { |
269 | break; |
270 | } |
271 | } |
272 | |
273 | return total_read; |
274 | } |
275 | |
276 | /* eof if we are out of bytes, or if we hit the final boundary */ |
277 | static int multipart_buffer_eof(multipart_buffer *self TSRMLS_DC) |
278 | { |
279 | if ( (self->bytes_in_buffer == 0 && fill_buffer(self TSRMLS_CC) < 1) ) { |
280 | return 1; |
281 | } else { |
282 | return 0; |
283 | } |
284 | } |
285 | |
286 | /* create new multipart_buffer structure */ |
287 | static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len TSRMLS_DC) |
288 | { |
289 | multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer)); |
290 | |
291 | int minsize = boundary_len + 6; |
292 | if (minsize < FILLUNIT) minsize = FILLUNIT; |
293 | |
294 | self->buffer = (char *) ecalloc(1, minsize + 1); |
295 | self->bufsize = minsize; |
296 | |
297 | spprintf(&self->boundary, 0, "--%s" , boundary); |
298 | |
299 | self->boundary_next_len = spprintf(&self->boundary_next, 0, "\n--%s" , boundary); |
300 | |
301 | self->buf_begin = self->buffer; |
302 | self->bytes_in_buffer = 0; |
303 | |
304 | if (php_rfc1867_encoding_translation(TSRMLS_C)) { |
305 | php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size TSRMLS_CC); |
306 | } else { |
307 | self->detect_order = NULL; |
308 | self->detect_order_size = 0; |
309 | } |
310 | |
311 | self->input_encoding = NULL; |
312 | |
313 | return self; |
314 | } |
315 | |
316 | /* |
317 | * Gets the next CRLF terminated line from the input buffer. |
318 | * If it doesn't find a CRLF, and the buffer isn't completely full, returns |
319 | * NULL; otherwise, returns the beginning of the null-terminated line, |
320 | * minus the CRLF. |
321 | * |
322 | * Note that we really just look for LF terminated lines. This works |
323 | * around a bug in internet explorer for the macintosh which sends mime |
324 | * boundaries that are only LF terminated when you use an image submit |
325 | * button in a multipart/form-data form. |
326 | */ |
327 | static char *next_line(multipart_buffer *self) |
328 | { |
329 | /* look for LF in the data */ |
330 | char* line = self->buf_begin; |
331 | char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer); |
332 | |
333 | if (ptr) { /* LF found */ |
334 | |
335 | /* terminate the string, remove CRLF */ |
336 | if ((ptr - line) > 0 && *(ptr-1) == '\r') { |
337 | *(ptr-1) = 0; |
338 | } else { |
339 | *ptr = 0; |
340 | } |
341 | |
342 | /* bump the pointer */ |
343 | self->buf_begin = ptr + 1; |
344 | self->bytes_in_buffer -= (self->buf_begin - line); |
345 | |
346 | } else { /* no LF found */ |
347 | |
348 | /* buffer isn't completely full, fail */ |
349 | if (self->bytes_in_buffer < self->bufsize) { |
350 | return NULL; |
351 | } |
352 | /* return entire buffer as a partial line */ |
353 | line[self->bufsize] = 0; |
354 | self->buf_begin = ptr; |
355 | self->bytes_in_buffer = 0; |
356 | } |
357 | |
358 | return line; |
359 | } |
360 | |
361 | /* Returns the next CRLF terminated line from the client */ |
362 | static char *get_line(multipart_buffer *self TSRMLS_DC) |
363 | { |
364 | char* ptr = next_line(self); |
365 | |
366 | if (!ptr) { |
367 | fill_buffer(self TSRMLS_CC); |
368 | ptr = next_line(self); |
369 | } |
370 | |
371 | return ptr; |
372 | } |
373 | |
374 | /* Free header entry */ |
375 | static void php_free_hdr_entry(mime_header_entry *h) |
376 | { |
377 | if (h->key) { |
378 | efree(h->key); |
379 | } |
380 | if (h->value) { |
381 | efree(h->value); |
382 | } |
383 | } |
384 | |
385 | /* finds a boundary */ |
386 | static int find_boundary(multipart_buffer *self, char *boundary TSRMLS_DC) |
387 | { |
388 | char *line; |
389 | |
390 | /* loop thru lines */ |
391 | while( (line = get_line(self TSRMLS_CC)) ) |
392 | { |
393 | /* finished if we found the boundary */ |
394 | if (!strcmp(line, boundary)) { |
395 | return 1; |
396 | } |
397 | } |
398 | |
399 | /* didn't find the boundary */ |
400 | return 0; |
401 | } |
402 | |
403 | /* parse headers */ |
404 | static int (multipart_buffer *self, zend_llist * TSRMLS_DC) |
405 | { |
406 | char *line; |
407 | mime_header_entry entry = {0}; |
408 | smart_str buf_value = {0}; |
409 | char *key = NULL; |
410 | |
411 | /* didn't find boundary, abort */ |
412 | if (!find_boundary(self, self->boundary TSRMLS_CC)) { |
413 | return 0; |
414 | } |
415 | |
416 | /* get lines of text, or CRLF_CRLF */ |
417 | |
418 | while( (line = get_line(self TSRMLS_CC)) && line[0] != '\0' ) |
419 | { |
420 | /* add header to table */ |
421 | char *value = NULL; |
422 | |
423 | if (php_rfc1867_encoding_translation(TSRMLS_C)) { |
424 | self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC); |
425 | } |
426 | |
427 | /* space in the beginning means same header */ |
428 | if (!isspace(line[0])) { |
429 | value = strchr(line, ':'); |
430 | } |
431 | |
432 | if (value) { |
433 | if(buf_value.c && key) { |
434 | /* new entry, add the old one to the list */ |
435 | smart_str_0(&buf_value); |
436 | entry.key = key; |
437 | entry.value = buf_value.c; |
438 | zend_llist_add_element(header, &entry); |
439 | buf_value.c = NULL; |
440 | key = NULL; |
441 | } |
442 | |
443 | *value = '\0'; |
444 | do { value++; } while(isspace(*value)); |
445 | |
446 | key = estrdup(line); |
447 | smart_str_appends(&buf_value, value); |
448 | } else if (buf_value.c) { /* If no ':' on the line, add to previous line */ |
449 | smart_str_appends(&buf_value, line); |
450 | } else { |
451 | continue; |
452 | } |
453 | } |
454 | if(buf_value.c && key) { |
455 | /* add the last one to the list */ |
456 | smart_str_0(&buf_value); |
457 | entry.key = key; |
458 | entry.value = buf_value.c; |
459 | zend_llist_add_element(header, &entry); |
460 | } |
461 | |
462 | return 1; |
463 | } |
464 | |
465 | static char *php_mime_get_hdr_value(zend_llist , char *key) |
466 | { |
467 | mime_header_entry *entry; |
468 | |
469 | if (key == NULL) { |
470 | return NULL; |
471 | } |
472 | |
473 | entry = zend_llist_get_first(&header); |
474 | while (entry) { |
475 | if (!strcasecmp(entry->key, key)) { |
476 | return entry->value; |
477 | } |
478 | entry = zend_llist_get_next(&header); |
479 | } |
480 | |
481 | return NULL; |
482 | } |
483 | |
484 | static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop TSRMLS_DC) |
485 | { |
486 | char *pos = *line, quote; |
487 | char *res; |
488 | |
489 | while (*pos && *pos != stop) { |
490 | if ((quote = *pos) == '"' || quote == '\'') { |
491 | ++pos; |
492 | while (*pos && *pos != quote) { |
493 | if (*pos == '\\' && pos[1] && pos[1] == quote) { |
494 | pos += 2; |
495 | } else { |
496 | ++pos; |
497 | } |
498 | } |
499 | if (*pos) { |
500 | ++pos; |
501 | } |
502 | } else ++pos; |
503 | } |
504 | if (*pos == '\0') { |
505 | res = estrdup(*line); |
506 | *line += strlen(*line); |
507 | return res; |
508 | } |
509 | |
510 | res = estrndup(*line, pos - *line); |
511 | |
512 | while (*pos == stop) { |
513 | ++pos; |
514 | } |
515 | |
516 | *line = pos; |
517 | return res; |
518 | } |
519 | |
520 | static char *substring_conf(char *start, int len, char quote) |
521 | { |
522 | char *result = emalloc(len + 1); |
523 | char *resp = result; |
524 | int i; |
525 | |
526 | for (i = 0; i < len && start[i] != quote; ++i) { |
527 | if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) { |
528 | *resp++ = start[++i]; |
529 | } else { |
530 | *resp++ = start[i]; |
531 | } |
532 | } |
533 | |
534 | *resp = '\0'; |
535 | return result; |
536 | } |
537 | |
538 | static char *php_ap_getword_conf(const zend_encoding *encoding, char *str TSRMLS_DC) |
539 | { |
540 | while (*str && isspace(*str)) { |
541 | ++str; |
542 | } |
543 | |
544 | if (!*str) { |
545 | return estrdup("" ); |
546 | } |
547 | |
548 | if (*str == '"' || *str == '\'') { |
549 | char quote = *str; |
550 | |
551 | str++; |
552 | return substring_conf(str, strlen(str), quote); |
553 | } else { |
554 | char *strend = str; |
555 | |
556 | while (*strend && !isspace(*strend)) { |
557 | ++strend; |
558 | } |
559 | return substring_conf(str, strend - str, 0); |
560 | } |
561 | } |
562 | |
563 | static char *php_ap_basename(const zend_encoding *encoding, char *path TSRMLS_DC) |
564 | { |
565 | char *s = strrchr(path, '\\'); |
566 | char *s2 = strrchr(path, '/'); |
567 | |
568 | if (s && s2) { |
569 | if (s > s2) { |
570 | ++s; |
571 | } else { |
572 | s = ++s2; |
573 | } |
574 | return s; |
575 | } else if (s) { |
576 | return ++s; |
577 | } else if (s2) { |
578 | return ++s2; |
579 | } |
580 | return path; |
581 | } |
582 | |
583 | /* |
584 | * Search for a string in a fixed-length byte string. |
585 | * If partial is true, partial matches are allowed at the end of the buffer. |
586 | * Returns NULL if not found, or a pointer to the start of the first match. |
587 | */ |
588 | static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial) |
589 | { |
590 | int len = haystacklen; |
591 | char *ptr = haystack; |
592 | |
593 | /* iterate through first character matches */ |
594 | while( (ptr = memchr(ptr, needle[0], len)) ) { |
595 | |
596 | /* calculate length after match */ |
597 | len = haystacklen - (ptr - (char *)haystack); |
598 | |
599 | /* done if matches up to capacity of buffer */ |
600 | if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) { |
601 | break; |
602 | } |
603 | |
604 | /* next character */ |
605 | ptr++; len--; |
606 | } |
607 | |
608 | return ptr; |
609 | } |
610 | |
611 | /* read until a boundary condition */ |
612 | static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC) |
613 | { |
614 | int len, max; |
615 | char *bound; |
616 | |
617 | /* fill buffer if needed */ |
618 | if (bytes > self->bytes_in_buffer) { |
619 | fill_buffer(self TSRMLS_CC); |
620 | } |
621 | |
622 | /* look for a potential boundary match, only read data up to that point */ |
623 | if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) { |
624 | max = bound - self->buf_begin; |
625 | if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) { |
626 | *end = 1; |
627 | } |
628 | } else { |
629 | max = self->bytes_in_buffer; |
630 | } |
631 | |
632 | /* maximum number of bytes we are reading */ |
633 | len = max < bytes-1 ? max : bytes-1; |
634 | |
635 | /* if we read any data... */ |
636 | if (len > 0) { |
637 | |
638 | /* copy the data */ |
639 | memcpy(buf, self->buf_begin, len); |
640 | buf[len] = 0; |
641 | |
642 | if (bound && len > 0 && buf[len-1] == '\r') { |
643 | buf[--len] = 0; |
644 | } |
645 | |
646 | /* update the buffer */ |
647 | self->bytes_in_buffer -= len; |
648 | self->buf_begin += len; |
649 | } |
650 | |
651 | return len; |
652 | } |
653 | |
654 | /* |
655 | XXX: this is horrible memory-usage-wise, but we only expect |
656 | to do this on small pieces of form data. |
657 | */ |
658 | static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC) |
659 | { |
660 | char buf[FILLUNIT], *out=NULL; |
661 | int total_bytes=0, read_bytes=0; |
662 | |
663 | while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) { |
664 | out = erealloc(out, total_bytes + read_bytes + 1); |
665 | memcpy(out + total_bytes, buf, read_bytes); |
666 | total_bytes += read_bytes; |
667 | } |
668 | |
669 | if (out) { |
670 | out[total_bytes] = '\0'; |
671 | } |
672 | *len = total_bytes; |
673 | |
674 | return out; |
675 | } |
676 | /* }}} */ |
677 | |
678 | /* |
679 | * The combined READER/HANDLER |
680 | * |
681 | */ |
682 | |
683 | SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ |
684 | { |
685 | char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; |
686 | char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL; |
687 | int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; |
688 | int64_t total_bytes = 0, max_file_size = 0; |
689 | int skip_upload = 0, anonindex = 0, is_anonymous; |
690 | zval *http_post_files = NULL; |
691 | HashTable *uploaded_files = NULL; |
692 | multipart_buffer *mbuff; |
693 | zval *array_ptr = (zval *) arg; |
694 | int fd = -1; |
695 | zend_llist ; |
696 | void * = NULL; |
697 | unsigned int llen = 0; |
698 | int upload_cnt = INI_INT("max_file_uploads" ); |
699 | const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(TSRMLS_C); |
700 | php_rfc1867_getword_t getword; |
701 | php_rfc1867_getword_conf_t getword_conf; |
702 | php_rfc1867_basename_t _basename; |
703 | long count = 0; |
704 | |
705 | if (php_rfc1867_encoding_translation(TSRMLS_C) && internal_encoding) { |
706 | getword = php_rfc1867_getword; |
707 | getword_conf = php_rfc1867_getword_conf; |
708 | _basename = php_rfc1867_basename; |
709 | } else { |
710 | getword = php_ap_getword; |
711 | getword_conf = php_ap_getword_conf; |
712 | _basename = php_ap_basename; |
713 | } |
714 | |
715 | if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) { |
716 | sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes" , SG(request_info).content_length, SG(post_max_size)); |
717 | return; |
718 | } |
719 | |
720 | /* Get the boundary */ |
721 | boundary = strstr(content_type_dup, "boundary" ); |
722 | if (!boundary) { |
723 | int content_type_len = strlen(content_type_dup); |
724 | char *content_type_lcase = estrndup(content_type_dup, content_type_len); |
725 | |
726 | php_strtolower(content_type_lcase, content_type_len); |
727 | boundary = strstr(content_type_lcase, "boundary" ); |
728 | if (boundary) { |
729 | boundary = content_type_dup + (boundary - content_type_lcase); |
730 | } |
731 | efree(content_type_lcase); |
732 | } |
733 | |
734 | if (!boundary || !(boundary = strchr(boundary, '='))) { |
735 | sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data" ); |
736 | return; |
737 | } |
738 | |
739 | boundary++; |
740 | boundary_len = strlen(boundary); |
741 | |
742 | if (boundary[0] == '"') { |
743 | boundary++; |
744 | boundary_end = strchr(boundary, '"'); |
745 | if (!boundary_end) { |
746 | sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data" ); |
747 | return; |
748 | } |
749 | } else { |
750 | /* search for the end of the boundary */ |
751 | boundary_end = strpbrk(boundary, ",;" ); |
752 | } |
753 | if (boundary_end) { |
754 | boundary_end[0] = '\0'; |
755 | boundary_len = boundary_end-boundary; |
756 | } |
757 | |
758 | /* Initialize the buffer */ |
759 | if (!(mbuff = multipart_buffer_new(boundary, boundary_len TSRMLS_CC))) { |
760 | sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer" ); |
761 | return; |
762 | } |
763 | |
764 | /* Initialize $_FILES[] */ |
765 | zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0); |
766 | |
767 | ALLOC_HASHTABLE(uploaded_files); |
768 | zend_hash_init(uploaded_files, 5, NULL, (dtor_func_t) free_estring, 0); |
769 | SG(rfc1867_uploaded_files) = uploaded_files; |
770 | |
771 | ALLOC_ZVAL(http_post_files); |
772 | array_init(http_post_files); |
773 | INIT_PZVAL(http_post_files); |
774 | PG(http_globals)[TRACK_VARS_FILES] = http_post_files; |
775 | |
776 | zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0); |
777 | |
778 | if (php_rfc1867_callback != NULL) { |
779 | multipart_event_start event_start; |
780 | |
781 | event_start.content_length = SG(request_info).content_length; |
782 | if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data TSRMLS_CC) == FAILURE) { |
783 | goto fileupload_done; |
784 | } |
785 | } |
786 | |
787 | while (!multipart_buffer_eof(mbuff TSRMLS_CC)) |
788 | { |
789 | char buff[FILLUNIT]; |
790 | char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL; |
791 | size_t blen = 0, wlen = 0; |
792 | off_t offset; |
793 | |
794 | zend_llist_clean(&header); |
795 | |
796 | if (!multipart_buffer_headers(mbuff, &header TSRMLS_CC)) { |
797 | goto fileupload_done; |
798 | } |
799 | |
800 | if ((cd = php_mime_get_hdr_value(header, "Content-Disposition" ))) { |
801 | char *pair = NULL; |
802 | int end = 0; |
803 | |
804 | while (isspace(*cd)) { |
805 | ++cd; |
806 | } |
807 | |
808 | while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';' TSRMLS_CC))) |
809 | { |
810 | char *key = NULL, *word = pair; |
811 | |
812 | while (isspace(*cd)) { |
813 | ++cd; |
814 | } |
815 | |
816 | if (strchr(pair, '=')) { |
817 | key = getword(mbuff->input_encoding, &pair, '=' TSRMLS_CC); |
818 | |
819 | if (!strcasecmp(key, "name" )) { |
820 | if (param) { |
821 | efree(param); |
822 | } |
823 | param = getword_conf(mbuff->input_encoding, pair TSRMLS_CC); |
824 | if (mbuff->input_encoding && internal_encoding) { |
825 | unsigned char *new_param; |
826 | size_t new_param_len; |
827 | if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding TSRMLS_CC)) { |
828 | efree(param); |
829 | param = (char *)new_param; |
830 | } |
831 | } |
832 | } else if (!strcasecmp(key, "filename" )) { |
833 | if (filename) { |
834 | efree(filename); |
835 | } |
836 | filename = getword_conf(mbuff->input_encoding, pair TSRMLS_CC); |
837 | if (mbuff->input_encoding && internal_encoding) { |
838 | unsigned char *new_filename; |
839 | size_t new_filename_len; |
840 | if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding TSRMLS_CC)) { |
841 | efree(filename); |
842 | filename = (char *)new_filename; |
843 | } |
844 | } |
845 | } |
846 | } |
847 | if (key) { |
848 | efree(key); |
849 | } |
850 | efree(word); |
851 | } |
852 | |
853 | /* Normal form variable, safe to read all data into memory */ |
854 | if (!filename && param) { |
855 | unsigned int value_len; |
856 | char *value = multipart_buffer_read_body(mbuff, &value_len TSRMLS_CC); |
857 | unsigned int new_val_len; /* Dummy variable */ |
858 | |
859 | if (!value) { |
860 | value = estrdup("" ); |
861 | value_len = 0; |
862 | } |
863 | |
864 | if (mbuff->input_encoding && internal_encoding) { |
865 | unsigned char *new_value; |
866 | size_t new_value_len; |
867 | if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding TSRMLS_CC)) { |
868 | efree(value); |
869 | value = (char *)new_value; |
870 | value_len = new_value_len; |
871 | } |
872 | } |
873 | |
874 | if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) { |
875 | if (php_rfc1867_callback != NULL) { |
876 | multipart_event_formdata event_formdata; |
877 | size_t newlength = new_val_len; |
878 | |
879 | event_formdata.post_bytes_processed = SG(read_post_bytes); |
880 | event_formdata.name = param; |
881 | event_formdata.value = &value; |
882 | event_formdata.length = new_val_len; |
883 | event_formdata.newlength = &newlength; |
884 | if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC) == FAILURE) { |
885 | efree(param); |
886 | efree(value); |
887 | continue; |
888 | } |
889 | new_val_len = newlength; |
890 | } |
891 | safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC); |
892 | } else { |
893 | if (count == PG(max_input_vars) + 1) { |
894 | php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini." , PG(max_input_vars)); |
895 | } |
896 | |
897 | if (php_rfc1867_callback != NULL) { |
898 | multipart_event_formdata event_formdata; |
899 | |
900 | event_formdata.post_bytes_processed = SG(read_post_bytes); |
901 | event_formdata.name = param; |
902 | event_formdata.value = &value; |
903 | event_formdata.length = value_len; |
904 | event_formdata.newlength = NULL; |
905 | php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC); |
906 | } |
907 | } |
908 | |
909 | if (!strcasecmp(param, "MAX_FILE_SIZE" )) { |
910 | #ifdef HAVE_ATOLL |
911 | max_file_size = atoll(value); |
912 | #else |
913 | max_file_size = strtoll(value, NULL, 10); |
914 | #endif |
915 | } |
916 | |
917 | efree(param); |
918 | efree(value); |
919 | continue; |
920 | } |
921 | |
922 | /* If file_uploads=off, skip the file part */ |
923 | if (!PG(file_uploads)) { |
924 | skip_upload = 1; |
925 | } else if (upload_cnt <= 0) { |
926 | skip_upload = 1; |
927 | sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded" ); |
928 | } |
929 | |
930 | /* Return with an error if the posted data is garbled */ |
931 | if (!param && !filename) { |
932 | sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled" ); |
933 | goto fileupload_done; |
934 | } |
935 | |
936 | if (!param) { |
937 | is_anonymous = 1; |
938 | param = emalloc(MAX_SIZE_ANONNAME); |
939 | snprintf(param, MAX_SIZE_ANONNAME, "%u" , anonindex++); |
940 | } else { |
941 | is_anonymous = 0; |
942 | } |
943 | |
944 | /* New Rule: never repair potential malicious user input */ |
945 | if (!skip_upload) { |
946 | long c = 0; |
947 | tmp = param; |
948 | |
949 | while (*tmp) { |
950 | if (*tmp == '[') { |
951 | c++; |
952 | } else if (*tmp == ']') { |
953 | c--; |
954 | if (tmp[1] && tmp[1] != '[') { |
955 | skip_upload = 1; |
956 | break; |
957 | } |
958 | } |
959 | if (c < 0) { |
960 | skip_upload = 1; |
961 | break; |
962 | } |
963 | tmp++; |
964 | } |
965 | /* Brackets should always be closed */ |
966 | if(c != 0) { |
967 | skip_upload = 1; |
968 | } |
969 | } |
970 | |
971 | total_bytes = cancel_upload = 0; |
972 | temp_filename = NULL; |
973 | fd = -1; |
974 | |
975 | if (!skip_upload && php_rfc1867_callback != NULL) { |
976 | multipart_event_file_start event_file_start; |
977 | |
978 | event_file_start.post_bytes_processed = SG(read_post_bytes); |
979 | event_file_start.name = param; |
980 | event_file_start.filename = &filename; |
981 | if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data TSRMLS_CC) == FAILURE) { |
982 | temp_filename = "" ; |
983 | efree(param); |
984 | efree(filename); |
985 | continue; |
986 | } |
987 | } |
988 | |
989 | if (skip_upload) { |
990 | efree(param); |
991 | efree(filename); |
992 | continue; |
993 | } |
994 | |
995 | if (filename[0] == '\0') { |
996 | #if DEBUG_FILE_UPLOAD |
997 | sapi_module.sapi_error(E_NOTICE, "No file uploaded" ); |
998 | #endif |
999 | cancel_upload = UPLOAD_ERROR_D; |
1000 | } |
1001 | |
1002 | offset = 0; |
1003 | end = 0; |
1004 | |
1005 | if (!cancel_upload) { |
1006 | /* only bother to open temp file if we have data */ |
1007 | blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC); |
1008 | #if DEBUG_FILE_UPLOAD |
1009 | if (blen > 0) { |
1010 | #else |
1011 | /* in non-debug mode we have no problem with 0-length files */ |
1012 | { |
1013 | #endif |
1014 | fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php" , &temp_filename, 1 TSRMLS_CC); |
1015 | upload_cnt--; |
1016 | if (fd == -1) { |
1017 | sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file" ); |
1018 | cancel_upload = UPLOAD_ERROR_E; |
1019 | } |
1020 | } |
1021 | } |
1022 | |
1023 | while (!cancel_upload && (blen > 0)) |
1024 | { |
1025 | if (php_rfc1867_callback != NULL) { |
1026 | multipart_event_file_data event_file_data; |
1027 | |
1028 | event_file_data.post_bytes_processed = SG(read_post_bytes); |
1029 | event_file_data.offset = offset; |
1030 | event_file_data.data = buff; |
1031 | event_file_data.length = blen; |
1032 | event_file_data.newlength = &blen; |
1033 | if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data TSRMLS_CC) == FAILURE) { |
1034 | cancel_upload = UPLOAD_ERROR_X; |
1035 | continue; |
1036 | } |
1037 | } |
1038 | |
1039 | if (PG(upload_max_filesize) > 0 && (long)(total_bytes+blen) > PG(upload_max_filesize)) { |
1040 | #if DEBUG_FILE_UPLOAD |
1041 | sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved" , PG(upload_max_filesize), param, filename); |
1042 | #endif |
1043 | cancel_upload = UPLOAD_ERROR_A; |
1044 | } else if (max_file_size && ((long)(total_bytes+blen) > max_file_size)) { |
1045 | #if DEBUG_FILE_UPLOAD |
1046 | sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved" , max_file_size, param, filename); |
1047 | #endif |
1048 | cancel_upload = UPLOAD_ERROR_B; |
1049 | } else if (blen > 0) { |
1050 | wlen = write(fd, buff, blen); |
1051 | |
1052 | if (wlen == -1) { |
1053 | /* write failed */ |
1054 | #if DEBUG_FILE_UPLOAD |
1055 | sapi_module.sapi_error(E_NOTICE, "write() failed - %s" , strerror(errno)); |
1056 | #endif |
1057 | cancel_upload = UPLOAD_ERROR_F; |
1058 | } else if (wlen < blen) { |
1059 | #if DEBUG_FILE_UPLOAD |
1060 | sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d" , wlen, blen); |
1061 | #endif |
1062 | cancel_upload = UPLOAD_ERROR_F; |
1063 | } else { |
1064 | total_bytes += wlen; |
1065 | } |
1066 | offset += wlen; |
1067 | } |
1068 | |
1069 | /* read data for next iteration */ |
1070 | blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC); |
1071 | } |
1072 | |
1073 | if (fd != -1) { /* may not be initialized if file could not be created */ |
1074 | close(fd); |
1075 | } |
1076 | |
1077 | if (!cancel_upload && !end) { |
1078 | #if DEBUG_FILE_UPLOAD |
1079 | sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s" , filename[0] != '\0' ? filename : "" ); |
1080 | #endif |
1081 | cancel_upload = UPLOAD_ERROR_C; |
1082 | } |
1083 | #if DEBUG_FILE_UPLOAD |
1084 | if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) { |
1085 | sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved" , param, filename); |
1086 | cancel_upload = 5; |
1087 | } |
1088 | #endif |
1089 | if (php_rfc1867_callback != NULL) { |
1090 | multipart_event_file_end event_file_end; |
1091 | |
1092 | event_file_end.post_bytes_processed = SG(read_post_bytes); |
1093 | event_file_end.temp_filename = temp_filename; |
1094 | event_file_end.cancel_upload = cancel_upload; |
1095 | if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data TSRMLS_CC) == FAILURE) { |
1096 | cancel_upload = UPLOAD_ERROR_X; |
1097 | } |
1098 | } |
1099 | |
1100 | if (cancel_upload) { |
1101 | if (temp_filename) { |
1102 | if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */ |
1103 | unlink(temp_filename); |
1104 | } |
1105 | efree(temp_filename); |
1106 | } |
1107 | temp_filename = "" ; |
1108 | } else { |
1109 | zend_hash_add(SG(rfc1867_uploaded_files), temp_filename, strlen(temp_filename) + 1, &temp_filename, sizeof(char *), NULL); |
1110 | } |
1111 | |
1112 | /* is_arr_upload is true when name of file upload field |
1113 | * ends in [.*] |
1114 | * start_arr is set to point to 1st [ */ |
1115 | is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']'); |
1116 | |
1117 | if (is_arr_upload) { |
1118 | array_len = strlen(start_arr); |
1119 | if (array_index) { |
1120 | efree(array_index); |
1121 | } |
1122 | array_index = estrndup(start_arr + 1, array_len - 2); |
1123 | } |
1124 | |
1125 | /* Add $foo_name */ |
1126 | if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) { |
1127 | llen = strlen(param); |
1128 | lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1); |
1129 | llen += MAX_SIZE_OF_INDEX + 1; |
1130 | } |
1131 | |
1132 | if (is_arr_upload) { |
1133 | if (abuf) efree(abuf); |
1134 | abuf = estrndup(param, strlen(param)-array_len); |
1135 | snprintf(lbuf, llen, "%s_name[%s]" , abuf, array_index); |
1136 | } else { |
1137 | snprintf(lbuf, llen, "%s_name" , param); |
1138 | } |
1139 | |
1140 | /* The \ check should technically be needed for win32 systems only where |
1141 | * it is a valid path separator. However, IE in all it's wisdom always sends |
1142 | * the full path of the file on the user's filesystem, which means that unless |
1143 | * the user does basename() they get a bogus file name. Until IE's user base drops |
1144 | * to nill or problem is fixed this code must remain enabled for all systems. */ |
1145 | s = _basename(internal_encoding, filename TSRMLS_CC); |
1146 | if (!s) { |
1147 | s = filename; |
1148 | } |
1149 | |
1150 | if (!is_anonymous) { |
1151 | safe_php_register_variable(lbuf, s, strlen(s), NULL, 0 TSRMLS_CC); |
1152 | } |
1153 | |
1154 | /* Add $foo[name] */ |
1155 | if (is_arr_upload) { |
1156 | snprintf(lbuf, llen, "%s[name][%s]" , abuf, array_index); |
1157 | } else { |
1158 | snprintf(lbuf, llen, "%s[name]" , param); |
1159 | } |
1160 | register_http_post_files_variable(lbuf, s, http_post_files, 0 TSRMLS_CC); |
1161 | efree(filename); |
1162 | s = NULL; |
1163 | |
1164 | /* Possible Content-Type: */ |
1165 | if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type" ))) { |
1166 | cd = "" ; |
1167 | } else { |
1168 | /* fix for Opera 6.01 */ |
1169 | s = strchr(cd, ';'); |
1170 | if (s != NULL) { |
1171 | *s = '\0'; |
1172 | } |
1173 | } |
1174 | |
1175 | /* Add $foo_type */ |
1176 | if (is_arr_upload) { |
1177 | snprintf(lbuf, llen, "%s_type[%s]" , abuf, array_index); |
1178 | } else { |
1179 | snprintf(lbuf, llen, "%s_type" , param); |
1180 | } |
1181 | if (!is_anonymous) { |
1182 | safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0 TSRMLS_CC); |
1183 | } |
1184 | |
1185 | /* Add $foo[type] */ |
1186 | if (is_arr_upload) { |
1187 | snprintf(lbuf, llen, "%s[type][%s]" , abuf, array_index); |
1188 | } else { |
1189 | snprintf(lbuf, llen, "%s[type]" , param); |
1190 | } |
1191 | register_http_post_files_variable(lbuf, cd, http_post_files, 0 TSRMLS_CC); |
1192 | |
1193 | /* Restore Content-Type Header */ |
1194 | if (s != NULL) { |
1195 | *s = ';'; |
1196 | } |
1197 | s = "" ; |
1198 | |
1199 | { |
1200 | /* store temp_filename as-is (in case upload_tmp_dir |
1201 | * contains escapeable characters. escape only the variable name.) */ |
1202 | zval zfilename; |
1203 | |
1204 | /* Initialize variables */ |
1205 | add_protected_variable(param TSRMLS_CC); |
1206 | |
1207 | /* if param is of form xxx[.*] this will cut it to xxx */ |
1208 | if (!is_anonymous) { |
1209 | ZVAL_STRING(&zfilename, temp_filename, 1); |
1210 | safe_php_register_variable_ex(param, &zfilename, NULL, 1 TSRMLS_CC); |
1211 | } |
1212 | |
1213 | /* Add $foo[tmp_name] */ |
1214 | if (is_arr_upload) { |
1215 | snprintf(lbuf, llen, "%s[tmp_name][%s]" , abuf, array_index); |
1216 | } else { |
1217 | snprintf(lbuf, llen, "%s[tmp_name]" , param); |
1218 | } |
1219 | add_protected_variable(lbuf TSRMLS_CC); |
1220 | ZVAL_STRING(&zfilename, temp_filename, 1); |
1221 | register_http_post_files_variable_ex(lbuf, &zfilename, http_post_files, 1 TSRMLS_CC); |
1222 | } |
1223 | |
1224 | { |
1225 | zval file_size, error_type; |
1226 | int size_overflow = 0; |
1227 | char file_size_buf[65]; |
1228 | |
1229 | ZVAL_LONG(&error_type, cancel_upload); |
1230 | |
1231 | /* Add $foo[error] */ |
1232 | if (cancel_upload) { |
1233 | ZVAL_LONG(&file_size, 0); |
1234 | } else { |
1235 | if (total_bytes > LONG_MAX) { |
1236 | #ifdef PHP_WIN32 |
1237 | if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) { |
1238 | file_size_buf[0] = '0'; |
1239 | file_size_buf[1] = '\0'; |
1240 | } |
1241 | #else |
1242 | { |
1243 | int __len = snprintf(file_size_buf, 65, "%lld" , total_bytes); |
1244 | file_size_buf[__len] = '\0'; |
1245 | } |
1246 | #endif |
1247 | size_overflow = 1; |
1248 | |
1249 | } else { |
1250 | ZVAL_LONG(&file_size, total_bytes); |
1251 | } |
1252 | } |
1253 | |
1254 | if (is_arr_upload) { |
1255 | snprintf(lbuf, llen, "%s[error][%s]" , abuf, array_index); |
1256 | } else { |
1257 | snprintf(lbuf, llen, "%s[error]" , param); |
1258 | } |
1259 | register_http_post_files_variable_ex(lbuf, &error_type, http_post_files, 0 TSRMLS_CC); |
1260 | |
1261 | /* Add $foo_size */ |
1262 | if (is_arr_upload) { |
1263 | snprintf(lbuf, llen, "%s_size[%s]" , abuf, array_index); |
1264 | } else { |
1265 | snprintf(lbuf, llen, "%s_size" , param); |
1266 | } |
1267 | if (!is_anonymous) { |
1268 | if (size_overflow) { |
1269 | ZVAL_STRING(&file_size, file_size_buf, 1); |
1270 | } |
1271 | safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow TSRMLS_CC); |
1272 | } |
1273 | |
1274 | /* Add $foo[size] */ |
1275 | if (is_arr_upload) { |
1276 | snprintf(lbuf, llen, "%s[size][%s]" , abuf, array_index); |
1277 | } else { |
1278 | snprintf(lbuf, llen, "%s[size]" , param); |
1279 | } |
1280 | if (size_overflow) { |
1281 | ZVAL_STRING(&file_size, file_size_buf, 1); |
1282 | } |
1283 | register_http_post_files_variable_ex(lbuf, &file_size, http_post_files, size_overflow TSRMLS_CC); |
1284 | } |
1285 | efree(param); |
1286 | } |
1287 | } |
1288 | |
1289 | fileupload_done: |
1290 | if (php_rfc1867_callback != NULL) { |
1291 | multipart_event_end event_end; |
1292 | |
1293 | event_end.post_bytes_processed = SG(read_post_bytes); |
1294 | php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data TSRMLS_CC); |
1295 | } |
1296 | |
1297 | if (lbuf) efree(lbuf); |
1298 | if (abuf) efree(abuf); |
1299 | if (array_index) efree(array_index); |
1300 | zend_hash_destroy(&PG(rfc1867_protected_variables)); |
1301 | zend_llist_destroy(&header); |
1302 | if (mbuff->boundary_next) efree(mbuff->boundary_next); |
1303 | if (mbuff->boundary) efree(mbuff->boundary); |
1304 | if (mbuff->buffer) efree(mbuff->buffer); |
1305 | if (mbuff) efree(mbuff); |
1306 | } |
1307 | /* }}} */ |
1308 | |
1309 | SAPI_API void php_rfc1867_set_multibyte_callbacks( |
1310 | php_rfc1867_encoding_translation_t encoding_translation, |
1311 | php_rfc1867_get_detect_order_t get_detect_order, |
1312 | php_rfc1867_set_input_encoding_t set_input_encoding, |
1313 | php_rfc1867_getword_t getword, |
1314 | php_rfc1867_getword_conf_t getword_conf, |
1315 | php_rfc1867_basename_t basename) /* {{{ */ |
1316 | { |
1317 | php_rfc1867_encoding_translation = encoding_translation; |
1318 | php_rfc1867_get_detect_order = get_detect_order; |
1319 | php_rfc1867_set_input_encoding = set_input_encoding; |
1320 | php_rfc1867_getword = getword; |
1321 | php_rfc1867_getword_conf = getword_conf; |
1322 | php_rfc1867_basename = basename; |
1323 | } |
1324 | /* }}} */ |
1325 | |
1326 | /* |
1327 | * Local variables: |
1328 | * tab-width: 4 |
1329 | * c-basic-offset: 4 |
1330 | * End: |
1331 | * vim600: sw=4 ts=4 fdm=marker |
1332 | * vim<600: sw=4 ts=4 |
1333 | */ |
1334 | |