add CURLOPT_SAFE_UPLOAD option

Author: smalyshev

ext/curl/interface.c

@@ -317,7 +317,7 @@ ZEND_END_ARG_INFO()
 #if LIBCURL_VERSION_NUM >= 0x070c01 /* 7.12.1 */
 ZEND_BEGIN_ARG_INFO(arginfo_curl_reset, 0)
 	ZEND_ARG_INFO(0, ch)
-ZEND_END_ARG_INFO()	
+ZEND_END_ARG_INFO()
 #endif
 
 #if LIBCURL_VERSION_NUM > 0x070f03 /* 7.15.4 */
@@ -526,7 +526,7 @@ PHP_MINFO_FUNCTION(curl)
 #endif
 #if LIBCURL_VERSION_NUM >= 0x071600 /* 7.22.0 */
 			{"NTLMWB", CURL_VERSION_NTLM_WB},
-#endif			
+#endif
 #if LIBCURL_VERSION_NUM >= 0x070a08 /* 7.10.8 */
 			{"SPNEGO", CURL_VERSION_SPNEGO},
 #endif
@@ -804,7 +804,7 @@ PHP_MINIT_FUNCTION(curl)
 	REGISTER_CURL_CONSTANT(CURLINFO_STARTTRANSFER_TIME);
 	REGISTER_CURL_CONSTANT(CURLINFO_TOTAL_TIME);
 
-	/* Other */	
+	/* Other */
 	REGISTER_CURL_CONSTANT(CURLMSG_DONE);
 	REGISTER_CURL_CONSTANT(CURLVERSION_NOW);
 
@@ -846,7 +846,7 @@ PHP_MINIT_FUNCTION(curl)
 	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv2);
 	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv3);
 	REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1);
-	
+
 	/* Curl TIMECOND constants (CURLOPT_TIMECONDITION) */
 	REGISTER_CURL_CONSTANT(CURL_TIMECOND_IFMODSINCE);
 	REGISTER_CURL_CONSTANT(CURL_TIMECOND_IFUNMODSINCE);
@@ -910,15 +910,15 @@ PHP_MINIT_FUNCTION(curl)
 
 #if LIBCURL_VERSION_NUM >= 0x070d00 /* Available since 7.13.0 */
 	REGISTER_CURL_CONSTANT(CURLOPT_FTP_ACCOUNT);
-#endif	
+#endif
 
 #if LIBCURL_VERSION_NUM >= 0x070b02 /* Available since 7.11.2 */
 	REGISTER_CURL_CONSTANT(CURLOPT_TCP_NODELAY);
 #endif
 
 #if LIBCURL_VERSION_NUM >= 0x070c02 /* Available since 7.12.2 */
 	REGISTER_CURL_CONSTANT(CURLINFO_OS_ERRNO);
-#endif	
+#endif
 
 #if LIBCURL_VERSION_NUM >= 0x070c03 /* Available since 7.12.3 */
 	REGISTER_CURL_CONSTANT(CURLINFO_NUM_CONNECTS);
@@ -959,7 +959,7 @@ PHP_MINIT_FUNCTION(curl)
 	REGISTER_CURL_CONSTANT(CURLOPT_FTP_ALTERNATIVE_TO_USER);
 	REGISTER_CURL_CONSTANT(CURLOPT_MAX_RECV_SPEED_LARGE);
 	REGISTER_CURL_CONSTANT(CURLOPT_MAX_SEND_SPEED_LARGE);
-#endif 
+#endif
 
 #if LIBCURL_VERSION_NUM >= 0x071000 /* Available since 7.16.0 */
 	REGISTER_CURL_CONSTANT(CURLOPT_SSL_SESSIONID_CACHE);
@@ -1003,7 +1003,7 @@ PHP_MINIT_FUNCTION(curl)
 	REGISTER_CURL_CONSTANT(CURLUSESSL_CONTROL);
 	REGISTER_CURL_CONSTANT(CURLUSESSL_NONE);
 	REGISTER_CURL_CONSTANT(CURLUSESSL_TRY);
-#endif	
+#endif
 
 #if LIBCURL_VERSION_NUM >= 0x071101 /* Available since 7.17.1 */
 	REGISTER_CURL_CONSTANT(CURLOPT_SSH_HOST_PUBLIC_KEY_MD5);
@@ -1053,7 +1053,7 @@ PHP_MINIT_FUNCTION(curl)
 	REGISTER_CURL_CONSTANT(CURLOPT_USERNAME);
 #endif
 
-#if LIBCURL_VERSION_NUM >= 0x071303 /* Available since 7.19.3 */ 
+#if LIBCURL_VERSION_NUM >= 0x071303 /* Available since 7.19.3 */
 	REGISTER_CURL_CONSTANT(CURLAUTH_DIGEST_IE);
 #endif
 
@@ -1135,7 +1135,7 @@ PHP_MINIT_FUNCTION(curl)
 	REGISTER_CURL_CONSTANT(CURL_FNMATCHFUNC_FAIL);
 	REGISTER_CURL_CONSTANT(CURL_FNMATCHFUNC_MATCH);
 	REGISTER_CURL_CONSTANT(CURL_FNMATCHFUNC_NOMATCH);
-#endif 
+#endif
 
 #if LIBCURL_VERSION_NUM >= 0x071502 /* Available since 7.21.2 */
 	REGISTER_CURL_CONSTANT(CURLPROTO_GOPHER);
@@ -1187,6 +1187,7 @@ PHP_MINIT_FUNCTION(curl)
 #if CURLOPT_PASSWDFUNCTION != 0
 	REGISTER_CURL_CONSTANT(CURLOPT_PASSWDFUNCTION);
 #endif
+	REGISTER_CURL_CONSTANT(CURLOPT_SAFE_UPLOAD);
 
 #ifdef PHP_CURL_NEED_OPENSSL_TSL
 	if (!CRYPTO_get_id_callback()) {
@@ -1814,6 +1815,7 @@ static void alloc_curl_handle(php_curl **ch)
 	zend_llist_init(&(*ch)->to_free->str,   sizeof(char *),            (llist_dtor_func_t) curl_free_string, 0);
 	zend_llist_init(&(*ch)->to_free->slist, sizeof(struct curl_slist), (llist_dtor_func_t) curl_free_slist,  0);
 	zend_llist_init(&(*ch)->to_free->post,  sizeof(struct HttpPost),   (llist_dtor_func_t) curl_free_post,   0);
+	(*ch)->safe_upload = 0; /* for now, for BC reason we allow unsafe API */
 }
 /* }}} */
 
@@ -1835,7 +1837,7 @@ static void split_certinfo(char *string, zval *hash)
 			split = strstr(s, "; ");
 			if(split)
 				*split = '\0';
-			
+
 			key = s;
 			tmp = memchr(key, '=', 64);
 			if(tmp) {
@@ -2061,7 +2063,7 @@ PHP_FUNCTION(curl_copy_handle)
 		if (ch->handlers->fnmatch->func_name) {
 			zval_add_ref(&ch->handlers->fnmatch->func_name);
 			dupch->handlers->fnmatch->func_name = ch->handlers->fnmatch->func_name;
-		}   
+		}
 		dupch->handlers->fnmatch->method = ch->handlers->fnmatch->method;
 		curl_easy_setopt(dupch->cp, CURLOPT_FNMATCH_DATA, (void *) dupch);
 	}
@@ -2140,7 +2142,7 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 #if LIBCURL_VERSION_NUM >= 0x070a06 /* Available since 7.10.6 */
 		case CURLOPT_HTTPAUTH:
 #endif
-#if LIBCURL_VERSION_NUM >= 0x070a07 /* Available since 7.10.7 */ 
+#if LIBCURL_VERSION_NUM >= 0x070a07 /* Available since 7.10.7 */
 		case CURLOPT_FTP_CREATE_MISSING_DIRS:
 		case CURLOPT_PROXYAUTH:
 #endif
@@ -2190,11 +2192,11 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 		case CURLOPT_USE_SSL:
 #elif LIBCURL_VERSION_NUM >= 0x070b00 /* Available since 7.11.0 */
 		case CURLOPT_FTP_SSL:
-#endif	
+#endif
 #if LIBCURL_VERSION_NUM >= 0x071100 /* Available since 7.17.0 */
 		case CURLOPT_APPEND:
 		case CURLOPT_DIRLISTONLY:
-#else			
+#else
 		case CURLOPT_FTPAPPEND:
 		case CURLOPT_FTPLISTONLY:
 #endif
@@ -2252,6 +2254,10 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 #endif
 			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
 			break;
+		case CURLOPT_SAFE_UPLOAD:
+			convert_to_long_ex(zvalue);
+			ch->safe_upload = (Z_LVAL_PP(zvalue) != 0);
+			break;
 
 		/* String options */
 		case CURLOPT_CAINFO:
@@ -2287,7 +2293,7 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 #endif
 #if LIBCURL_VERSION_NUM >= 0x071004 /* Available since 7.16.4 */
 		case CURLOPT_KRBLEVEL:
-#else			
+#else
 		case CURLOPT_KRB4LEVEL:
 #endif
 #if LIBCURL_VERSION_NUM >= 0x071101 /* Available since 7.17.1 */
@@ -2312,15 +2318,15 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 		case CURLOPT_TLSAUTH_PASSWORD:
 		case CURLOPT_TLSAUTH_USERNAME:
 #endif
-#if LIBCURL_VERSION_NUM >= 0x071506 /* Available since 7.21.6 */			
+#if LIBCURL_VERSION_NUM >= 0x071506 /* Available since 7.21.6 */
 		case CURLOPT_ACCEPT_ENCODING:
 		case CURLOPT_TRANSFER_ENCODING:
 #else
 		case CURLOPT_ENCODING:
 #endif
 #if LIBCURL_VERSION_NUM >= 0x071800 /* Available since 7.24.0 */
 		case CURLOPT_DNS_SERVERS:
-#endif	
+#endif
 #if LIBCURL_VERSION_NUM >= 0x071900 /* Available since 7.25.0 */
 		case CURLOPT_MAIL_AUTH:
 #endif
@@ -2355,7 +2361,7 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 		/* Curl file handle options */
 		case CURLOPT_FILE:
 		case CURLOPT_INFILE:
-		case CURLOPT_STDERR: 
+		case CURLOPT_STDERR:
 		case CURLOPT_WRITEHEADER: {
 			FILE *fp = NULL;
 			int type;
@@ -2623,7 +2629,7 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 					/* The arguments after _NAMELENGTH and _CONTENTSLENGTH
 					 * must be explicitly cast to long in curl_formadd
 					 * use since curl needs a long not an int. */
-					if (*postval == '@') {
+					if (!ch->safe_upload && *postval == '@') {
 						char *type, *filename;
 						++postval;
 
@@ -2771,7 +2777,7 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 		/* the following options deal with files, therefore the open_basedir check
 		 * is required.
 		 */
-		case CURLOPT_COOKIEFILE: 
+		case CURLOPT_COOKIEFILE:
 		case CURLOPT_COOKIEJAR:
 		case CURLOPT_RANDOM_FILE:
 		case CURLOPT_SSLCERT:
@@ -2875,7 +2881,7 @@ PHP_FUNCTION(curl_setopt)
 
 	ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
 
-	if (options <= 0) {
+	if (options <= 0 && options != CURLOPT_SAFE_UPLOAD) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid curl configuration option");
 		RETURN_FALSE;
 	}
@@ -3091,7 +3097,7 @@ PHP_FUNCTION(curl_getinfo)
 			CAAS("redirect_url", s_code);
 		}
 #endif
-#if LIBCURL_VERSION_NUM >= 0x071300 /* Available since 7.19.0 */		
+#if LIBCURL_VERSION_NUM >= 0x071300 /* Available since 7.19.0 */
 		if (curl_easy_getinfo(ch->cp, CURLINFO_PRIMARY_IP, &s_code) == CURLE_OK) {
 			CAAS("primary_ip", s_code);
 		}
@@ -3146,7 +3152,7 @@ PHP_FUNCTION(curl_getinfo)
 					case CURLINFO_STRING:
 					{
 						char *s_code = NULL;
-	
+
 						if (curl_easy_getinfo(ch->cp, option, &s_code) == CURLE_OK && s_code) {
 							RETURN_STRING(s_code, 1);
 						} else {
@@ -3157,7 +3163,7 @@ PHP_FUNCTION(curl_getinfo)
 					case CURLINFO_LONG:
 					{
 						long code = 0;
-	
+
 						if (curl_easy_getinfo(ch->cp, option, &code) == CURLE_OK) {
 							RETURN_LONG(code);
 						} else {
@@ -3399,7 +3405,7 @@ static void _php_curl_reset_handlers(php_curl *ch)
 	}
 	ch->handlers->write->fp = NULL;
 	ch->handlers->write->method = PHP_CURL_STDOUT;
-	
+
 	if (ch->handlers->write_header->stream) {
 		Z_DELREF_P(ch->handlers->write_header->stream);
 		ch->handlers->write_header->stream = NULL;
@@ -3493,7 +3499,7 @@ PHP_FUNCTION(curl_escape)
 
 /* {{{ proto void curl_unescape(resource ch, string str)
    URL decodes the given string */
-PHP_FUNCTION(curl_unescape) 
+PHP_FUNCTION(curl_unescape)
 {
 	char       *str = NULL, *out = NULL;
 	int        str_len = 0, out_len;
@@ -3531,7 +3537,7 @@ PHP_FUNCTION(curl_pause)
 
 	ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
 
-	RETURN_LONG(curl_easy_pause(ch->cp, bitmask)); 
+	RETURN_LONG(curl_easy_pause(ch->cp, bitmask));
 }
 /* }}} */
 #endif

ext/curl/php_curl.h

@@ -180,8 +180,11 @@ typedef struct {
 	unsigned int             uses;
 	zend_bool                in_callback;
 	zval                     *clone;
+	zend_bool                safe_upload;
 } php_curl;
 
+#define CURLOPT_SAFE_UPLOAD -1
+
 typedef struct {
 	int    still_running;
 	CURLM *multi;

ext/curl/tests/curl_file_upload.phpt

@@ -1,7 +1,7 @@
 --TEST--
 CURL file uploading
 --SKIPIF--
-<?php 
+<?php
 if (!extension_loaded("curl")) {
 	exit("skip curl extension not loaded");
 }
@@ -15,9 +15,9 @@ if (false === getenv('PHP_CURL_HTTP_REMOTE_SERVER'))  {
 function testcurl($ch, $name, $mime = '', $postname = '')
 {
 	if(!empty($postname)) {
-		$file = new CurlFile($name, $mime, $postname);	
+		$file = new CurlFile($name, $mime, $postname);
 	} else if(!empty($mime)) {
-		$file = new CurlFile($name, $mime);	
+		$file = new CurlFile($name, $mime);
 	} else {
 		$file = new CurlFile($name);
 	}
@@ -52,6 +52,16 @@ $params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
 curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
 var_dump(curl_exec($ch));
 
+curl_setopt($ch, CURLOPT_SAFE_UPLOAD, true);
+$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
+curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
+var_dump(curl_exec($ch));
+
+curl_setopt($ch, CURLOPT_URL, "{$host}/get.php?test=post");
+$params = array('file' => '@' . __DIR__ . '/curl_testdata1.txt');
+curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
+var_dump(curl_exec($ch));
+
 curl_close($ch);
 ?>
 --EXPECTF--
@@ -67,3 +77,9 @@ string(%d) "foo.txt|application/octet-stream"
 
 Deprecated: curl_setopt(): Usage of @filename API for file uploading is deprecated. Please use CURLFile parameter instead in %s on line %d
 string(%d) "curl_testdata1.txt|application/octet-stream"
+string(0) ""
+string(%d) "array(1) {
+  ["file"]=>
+  string(%d) "@%s/curl_testdata1.txt"
+}
+"