From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 13 Jul 2005 20:47:56 +0000 (+0000)
Subject: MFH: Fixed bug #33673 (Added detection for partially uploaded files).
X-Git-Tag: php-4.4.1RC1~113
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=12d6e6c6603cc7dfb05b45f3ec94d9698559720e;p=php

MFH: Fixed bug #33673 (Added detection for partially uploaded files).
---

diff --git a/NEWS b/NEWS
index e413c11d81..92b5aad53c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, Version 4.4.1
+- Fixed bug #33673 (Added detection for partially uploaded files). (Ilia)
 - Fixed bug #33156 (cygwin version of setitimer doesn't accept ITIMER_PROF).
   (Nuno)
 - Fixed bug #31158 (array_splice on $GLOBALS crashes). (Dmitry)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index adc16a55ad..d5656fc069 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -127,6 +127,7 @@ void php_mb_gpc_stack_variable(char *param, char *value, char ***pval_list, int
 #define UPLOAD_ERROR_C    3  /* Partially uploaded */
 #define UPLOAD_ERROR_D    4  /* No file uploaded */
 #define UPLOAD_ERROR_E    6  /* Missing /tmp or similar directory */
+#define UPLOAD_ERROR_F    7  /* Failed to write file to disk */
 
 void php_rfc1867_register_constants(TSRMLS_D)
 {
@@ -136,6 +137,7 @@ void php_rfc1867_register_constants(TSRMLS_D)
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL",    UPLOAD_ERROR_C,  CONST_CS | CONST_PERSISTENT);
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE",    UPLOAD_ERROR_D,  CONST_CS | CONST_PERSISTENT);
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E,  CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F,  CONST_CS | CONST_PERSISTENT);
 }
 
 static void normalize_protected_variable(char *varname TSRMLS_DC)
@@ -700,7 +702,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
 
 
 /* read until a boundary condition */
-static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes TSRMLS_DC)
+static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
 {
 	int len, max;
 	char *bound;
@@ -713,6 +715,9 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes TS
 	/* look for a potential boundary match, only read data up to that point */
 	if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
 		max = bound - self->buf_begin;
+		if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
+			*end = 1;
+		}
 	} else {
 		max = self->bytes_in_buffer;
 	}
@@ -749,7 +754,7 @@ static char *multipart_buffer_read_body(multipart_buffer *self TSRMLS_DC)
 	char buf[FILLUNIT], *out=NULL;
 	int total_bytes=0, read_bytes=0;
 
-	while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf) TSRMLS_CC))) {
+	while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
 		out = erealloc(out, total_bytes + read_bytes + 1);
 		memcpy(out + total_bytes, buf, read_bytes);
 		total_bytes += read_bytes;
@@ -853,6 +858,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 
 		if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
 			char *pair=NULL;
+			int end=0;
 			
 			while (isspace(*cd)) {
 				++cd;
@@ -981,7 +987,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 				cancel_upload = UPLOAD_ERROR_D;
 			}
 
-			while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff) TSRMLS_CC)))
+			end = 0;
+			while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC)))
 			{
 				if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {
 					sapi_module.sapi_error(E_WARNING, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
@@ -994,7 +1001,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 			
 					if (wlen < blen) {
 						sapi_module.sapi_error(E_WARNING, "Only %d bytes were written, expected to write %d", wlen, blen);
-						cancel_upload = UPLOAD_ERROR_C;
+						cancel_upload = UPLOAD_ERROR_F;
 					} else {
 						total_bytes += wlen;
 					}
@@ -1004,6 +1011,13 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 				close(fd);
 			}
 
+			if (!cancel_upload && !end) {
+#ifdef DEBUG_FILE_UPLOAD
+				sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", strlen(filename) > 0 ? filename : "");
+#endif
+				cancel_upload = UPLOAD_ERROR_C;
+			}
+
 #ifdef DEBUG_FILE_UPLOAD
 			if(strlen(filename) > 0 && total_bytes == 0 && !cancel_upload) {
 				sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);