From b5184ef33606c808b66c4b2738c80376c95de65b Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikic@php.net>
Date: Mon, 9 Mar 2015 11:00:04 +0100
Subject: [PATCH] Remove unsafe curl file uploads

The option CURLOPT_SAFE_UPLOAD still exists, but cannot be disabled.
---
 NEWS                                 |  1 +
 UPGRADING                            |  4 +++
 ext/curl/interface.c                 | 49 ++++++----------------------
 ext/curl/php_curl.h                  |  1 -
 ext/curl/tests/bug27023.phpt         | 27 +++++++--------
 ext/curl/tests/bug27023_2.phpt       | 44 -------------------------
 ext/curl/tests/curl_file_upload.phpt |  4 +--
 7 files changed, 29 insertions(+), 101 deletions(-)
 delete mode 100644 ext/curl/tests/bug27023_2.phpt

diff --git a/NEWS b/NEWS
index 40904fb5bf..d0d16b8e91 100644
--- a/NEWS
+++ b/NEWS
@@ -57,6 +57,7 @@
 
 - Curl:
   . Fixed bug #68937 (Segfault in curl_multi_exec). (Laruence)
+  . Removed support for unsafe file uploads. (Nikita)
 
 - Date:
   . Fixed day_of_week function as it could sometimes return negative values
diff --git a/UPGRADING b/UPGRADING
index e6b42ec75c..3e6c550143 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -345,6 +345,10 @@ Standard library changes
 Other
 =====
 
+- Curl:
+  . Removed support for disabling the CURLOPT_SAFE_UPLOAD option. All curl file
+    uploads must use the curl_file / CURLFile APIs.
+
 - Date:
   . Removed $is_dst parameter from mktime() and gmmktime().
 
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index b2e3447c4e..650bc158eb 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1747,7 +1747,6 @@ static php_curl *alloc_curl_handle()
 
 	zend_llist_init(&ch->to_free->str,   sizeof(char *),          (llist_dtor_func_t)curl_free_string, 0);
 	zend_llist_init(&ch->to_free->post,  sizeof(struct HttpPost), (llist_dtor_func_t)curl_free_post,   0);
-	ch->safe_upload = 1; /* for now, for BC reason we allow unsafe API */
 
 	ch->to_free->slist = emalloc(sizeof(HashTable));
 	zend_hash_init(ch->to_free->slist, 4, NULL, curl_free_slist, 0);
@@ -2181,7 +2180,10 @@ static int _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue) /* {{{
 			break;
 		case CURLOPT_SAFE_UPLOAD:
 			lval = zval_get_long(zvalue);
-			ch->safe_upload = (lval != 0);
+			if (lval == 0) {
+				php_error_docref(NULL, E_WARNING, "Disabling safe uploads is no longer supported");
+				return FAILURE;
+			}
 			break;
 
 		/* String options */
@@ -2558,43 +2560,12 @@ static int _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue) /* {{{
 					/* The arguments after _NAMELENGTH and _CONTENTSLENGTH
 					 * must be explicitly cast to long in curl_formadd
 					 * use since curl needs a long not an int. */
-					if (!ch->safe_upload && *postval == '@') {
-						char *name, *type, *filename;
-						++postval;
-
-						php_error_docref("curl.curlfile", E_DEPRECATED,
-								"The usage of the @filename API for file uploading is deprecated. Please use the CURLFile class instead");
-
-						name = estrndup(postval, Z_STRLEN_P(current));
-						if ((type = (char *)php_memnstr(name, ";type=", sizeof(";type=") - 1,
-										name + Z_STRLEN_P(current)))) {
-							*type = '\0';
-						}
-						if ((filename = (char *)php_memnstr(name, ";filename=", sizeof(";filename=") - 1,
-										name + Z_STRLEN_P(current)))) {
-							*filename = '\0';
-						}
-						/* open_basedir check */
-						if (php_check_open_basedir(name)) {
-							efree(name);
-							return FAILURE;
-						}
-						error = curl_formadd(&first, &last,
-										CURLFORM_COPYNAME, string_key->val,
-										CURLFORM_NAMELENGTH, string_key->len,
-										CURLFORM_FILENAME, filename ? filename + sizeof(";filename=") - 1 : name,
-										CURLFORM_CONTENTTYPE, type ? type + sizeof(";type=") - 1 : "application/octet-stream",
-										CURLFORM_FILE, name,
-										CURLFORM_END);
-						efree(name);
-					} else {
-						error = curl_formadd(&first, &last,
-											 CURLFORM_COPYNAME, string_key->val,
-											 CURLFORM_NAMELENGTH, (zend_long)string_key->len,
-											 CURLFORM_COPYCONTENTS, postval,
-											 CURLFORM_CONTENTSLENGTH, (zend_long)Z_STRLEN_P(current),
-											 CURLFORM_END);
-					}
+					error = curl_formadd(&first, &last,
+										 CURLFORM_COPYNAME, string_key->val,
+										 CURLFORM_NAMELENGTH, (zend_long)string_key->len,
+										 CURLFORM_COPYCONTENTS, postval,
+										 CURLFORM_CONTENTSLENGTH, (zend_long)Z_STRLEN_P(current),
+										 CURLFORM_END);
 
 					zend_string_release(string_key);
 				} ZEND_HASH_FOREACH_END();
diff --git a/ext/curl/php_curl.h b/ext/curl/php_curl.h
index 7d461b82fe..bc3db650d9 100644
--- a/ext/curl/php_curl.h
+++ b/ext/curl/php_curl.h
@@ -179,7 +179,6 @@ typedef struct {
 	zend_resource           *res;
 	zend_bool                in_callback;
 	uint32_t				 clone;
-	zend_bool                safe_upload;
 } php_curl;
 
 #define CURLOPT_SAFE_UPLOAD -1
diff --git a/ext/curl/tests/bug27023.phpt b/ext/curl/tests/bug27023.phpt
index fce69f5708..c878ebac31 100644
--- a/ext/curl/tests/bug27023.phpt
+++ b/ext/curl/tests/bug27023.phpt
@@ -3,36 +3,34 @@ Bug #27023 (CURLOPT_POSTFIELDS does not parse content types for files)
 --INI--
 error_reporting = E_ALL & ~E_DEPRECATED
 --SKIPIF--
-<?php 
-include 'skipif.inc';
-?>
+<?php include 'skipif.inc'; ?>
 --FILE--
 <?php
 
-  include 'server.inc';
-  $host = curl_cli_server_start();
+include 'server.inc';
+$host = curl_cli_server_start();
 $ch = curl_init();
-curl_setopt($ch, CURLOPT_SAFE_UPLOAD, 0);
+curl_setopt($ch, CURLOPT_SAFE_UPLOAD, 1);
 curl_setopt($ch, CURLOPT_URL, "{$host}/get.php?test=file");
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 
-$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
+$file = curl_file_create(__DIR__ . '/curl_testdata1.txt');
+$params = array('file' => $file);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
 var_dump(curl_exec($ch));
 
-$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt;type=text/plain');
+$file = curl_file_create(__DIR__ . '/curl_testdata1.txt', "text/plain");
+$params = array('file' => $file);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
 var_dump(curl_exec($ch));
 
-$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt;filename=foo.txt');
+$file = curl_file_create(__DIR__ . '/curl_testdata1.txt', null, "foo.txt");
+$params = array('file' => $file);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
 var_dump(curl_exec($ch));
 
-$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt;type=text/plain;filename=foo.txt');
-curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
-var_dump(curl_exec($ch));
-
-$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt;filename=foo.txt;type=text/plain');
+$file = curl_file_create(__DIR__ . '/curl_testdata1.txt', "text/plain", "foo.txt");
+$params = array('file' => $file);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
 var_dump(curl_exec($ch));
 
@@ -44,4 +42,3 @@ string(%d) "curl_testdata1.txt|application/octet-stream"
 string(%d) "curl_testdata1.txt|text/plain"
 string(%d) "foo.txt|application/octet-stream"
 string(%d) "foo.txt|text/plain"
-string(%d) "foo.txt|text/plain"
diff --git a/ext/curl/tests/bug27023_2.phpt b/ext/curl/tests/bug27023_2.phpt
deleted file mode 100644
index c878ebac31..0000000000
--- a/ext/curl/tests/bug27023_2.phpt
+++ /dev/null
@@ -1,44 +0,0 @@
---TEST--
-Bug #27023 (CURLOPT_POSTFIELDS does not parse content types for files)
---INI--
-error_reporting = E_ALL & ~E_DEPRECATED
---SKIPIF--
-<?php include 'skipif.inc'; ?>
---FILE--
-<?php
-
-include 'server.inc';
-$host = curl_cli_server_start();
-$ch = curl_init();
-curl_setopt($ch, CURLOPT_SAFE_UPLOAD, 1);
-curl_setopt($ch, CURLOPT_URL, "{$host}/get.php?test=file");
-curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-
-$file = curl_file_create(__DIR__ . '/curl_testdata1.txt');
-$params = array('file' => $file);
-curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
-var_dump(curl_exec($ch));
-
-$file = curl_file_create(__DIR__ . '/curl_testdata1.txt', "text/plain");
-$params = array('file' => $file);
-curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
-var_dump(curl_exec($ch));
-
-$file = curl_file_create(__DIR__ . '/curl_testdata1.txt', null, "foo.txt");
-$params = array('file' => $file);
-curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
-var_dump(curl_exec($ch));
-
-$file = curl_file_create(__DIR__ . '/curl_testdata1.txt', "text/plain", "foo.txt");
-$params = array('file' => $file);
-curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
-var_dump(curl_exec($ch));
-
-
-curl_close($ch);
-?>
---EXPECTF--
-string(%d) "curl_testdata1.txt|application/octet-stream"
-string(%d) "curl_testdata1.txt|text/plain"
-string(%d) "foo.txt|application/octet-stream"
-string(%d) "foo.txt|text/plain"
diff --git a/ext/curl/tests/curl_file_upload.phpt b/ext/curl/tests/curl_file_upload.phpt
index 3a5a78fde3..c64e67aa5c 100644
--- a/ext/curl/tests/curl_file_upload.phpt
+++ b/ext/curl/tests/curl_file_upload.phpt
@@ -71,8 +71,8 @@ string(%d) "curl_testdata1.txt|text/plain"
 string(%d) "foo.txt"
 string(%d) "foo.txt|application/octet-stream"
 
-Deprecated: curl_setopt(): The usage of the @filename API for file uploading is deprecated. Please use the CURLFile class instead in %s on line %d
-string(%d) "curl_testdata1.txt|application/octet-stream"
+Warning: curl_setopt(): Disabling safe uploads is no longer supported in %s on line %d
+string(0) ""
 string(0) ""
 string(%d) "array(1) {
   ["file"]=>
-- 
2.40.0