Back to index

php5  5.3.10
Classes | Defines | Functions | Variables
rfc1867.c File Reference
#include <stdio.h>
#include "php.h"
#include "php_open_temporary_file.h"
#include "zend_globals.h"
#include "php_globals.h"
#include "php_variables.h"
#include "rfc1867.h"
#include "ext/standard/php_string.h"

Go to the source code of this file.

Classes

struct  multipart_buffer
struct  mime_header_entry

Defines

#define DEBUG_FILE_UPLOAD   ZEND_DEBUG
#define SAFE_RETURN
#define MAX_SIZE_OF_INDEX   sizeof("[tmp_name]")
#define MAX_SIZE_ANONNAME   33
#define UPLOAD_ERROR_OK   0 /* File upload succesful */
#define UPLOAD_ERROR_A   1 /* Uploaded file exceeded upload_max_filesize */
#define UPLOAD_ERROR_B   2 /* Uploaded file exceeded MAX_FILE_SIZE */
#define UPLOAD_ERROR_C   3 /* Partially uploaded */
#define UPLOAD_ERROR_D   4 /* No file uploaded */
#define UPLOAD_ERROR_E   6 /* Missing /tmp or similar directory */
#define UPLOAD_ERROR_F   7 /* Failed to write file to disk */
#define UPLOAD_ERROR_X   8 /* File upload stopped by extension */
#define FILLUNIT   (1024 * 5)

Functions

void php_rfc1867_register_constants (TSRMLS_D)
static void normalize_protected_variable (char *varname TSRMLS_DC)
static void add_protected_variable (char *varname TSRMLS_DC)
static zend_bool is_protected_variable (char *varname TSRMLS_DC)
static void safe_php_register_variable (char *var, char *strval, int val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC)
static void safe_php_register_variable_ex (char *var, zval *val, zval *track_vars_array, zend_bool override_protection TSRMLS_DC)
static void register_http_post_files_variable (char *strvar, char *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC)
static void register_http_post_files_variable_ex (char *var, zval *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC)
static int unlink_filename (char **filename TSRMLS_DC)
void destroy_uploaded_files_hash (TSRMLS_D)
static int fill_buffer (multipart_buffer *self TSRMLS_DC)
static int multipart_buffer_eof (multipart_buffer *self TSRMLS_DC)
static multipart_buffermultipart_buffer_new (char *boundary, int boundary_len)
static char * next_line (multipart_buffer *self)
static char * get_line (multipart_buffer *self TSRMLS_DC)
static void php_free_hdr_entry (mime_header_entry *h)
static int find_boundary (multipart_buffer *self, char *boundary TSRMLS_DC)
static int multipart_buffer_headers (multipart_buffer *self, zend_llist *header TSRMLS_DC)
static char * php_mime_get_hdr_value (zend_llist header, char *key)
static char * php_ap_getword (char **line, char stop)
static char * substring_conf (char *start, int len, char quote TSRMLS_DC)
static char * php_ap_getword_conf (char **line TSRMLS_DC)
static void * php_ap_memstr (char *haystack, int haystacklen, char *needle, int needlen, int partial)
static int multipart_buffer_read (multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
static char * multipart_buffer_read_body (multipart_buffer *self, unsigned int *len TSRMLS_DC)
SAPI_API SAPI_POST_HANDLER_FUNC (rfc1867_post_handler)

Variables

PHPAPI int(* php_rfc1867_callback )(unsigned int event, void *event_data, void **extra TSRMLS_DC) = NULL

Class Documentation

struct multipart_buffer

Definition at line 284 of file rfc1867.c.

Class Members
char * boundary
char * boundary_next
int boundary_next_len
char * buf_begin
char * buffer
int bufsize
int bytes_in_buffer
struct mime_header_entry

Definition at line 299 of file rfc1867.c.

Class Members
char * key
char * value

Define Documentation

#define DEBUG_FILE_UPLOAD   ZEND_DEBUG

Definition at line 37 of file rfc1867.c.

#define FILLUNIT   (1024 * 5)

Definition at line 282 of file rfc1867.c.

#define MAX_SIZE_ANONNAME   33

Definition at line 130 of file rfc1867.c.

#define MAX_SIZE_OF_INDEX   sizeof("[tmp_name]")

Definition at line 127 of file rfc1867.c.

#define SAFE_RETURN
Value:
{ \
       if (lbuf) efree(lbuf); \
       if (abuf) efree(abuf); \
       if (array_index) efree(array_index); \
       zend_hash_destroy(&PG(rfc1867_protected_variables)); \
       zend_llist_destroy(&header); \
       if (mbuff->boundary_next) efree(mbuff->boundary_next); \
       if (mbuff->boundary) efree(mbuff->boundary); \
       if (mbuff->buffer) efree(mbuff->buffer); \
       if (mbuff) efree(mbuff); \
       return; }

Definition at line 113 of file rfc1867.c.

#define UPLOAD_ERROR_A   1 /* Uploaded file exceeded upload_max_filesize */

Definition at line 134 of file rfc1867.c.

#define UPLOAD_ERROR_B   2 /* Uploaded file exceeded MAX_FILE_SIZE */

Definition at line 135 of file rfc1867.c.

#define UPLOAD_ERROR_C   3 /* Partially uploaded */

Definition at line 136 of file rfc1867.c.

#define UPLOAD_ERROR_D   4 /* No file uploaded */

Definition at line 137 of file rfc1867.c.

#define UPLOAD_ERROR_E   6 /* Missing /tmp or similar directory */

Definition at line 138 of file rfc1867.c.

#define UPLOAD_ERROR_F   7 /* Failed to write file to disk */

Definition at line 139 of file rfc1867.c.

#define UPLOAD_ERROR_OK   0 /* File upload succesful */

Definition at line 133 of file rfc1867.c.

#define UPLOAD_ERROR_X   8 /* File upload stopped by extension */

Definition at line 140 of file rfc1867.c.


Function Documentation

static void add_protected_variable ( char *varname  TSRMLS_DC) [static]

Definition at line 213 of file rfc1867.c.

{
       int dummy = 1;

       normalize_protected_variable(varname TSRMLS_CC);
       zend_hash_add(&PG(rfc1867_protected_variables), varname, strlen(varname)+1, &dummy, sizeof(int), NULL);
}

Here is the call graph for this function:

Here is the caller graph for this function:

Definition at line 272 of file rfc1867.c.

{
       zend_hash_apply(SG(rfc1867_uploaded_files), (apply_func_t) unlink_filename TSRMLS_CC);
       zend_hash_destroy(SG(rfc1867_uploaded_files));
       FREE_HASHTABLE(SG(rfc1867_uploaded_files));
}

Here is the call graph for this function:

Here is the caller graph for this function:

static int fill_buffer ( multipart_buffer *self  TSRMLS_DC) [static]

Definition at line 308 of file rfc1867.c.

{
       int bytes_to_read, total_read = 0, actual_read = 0;

       /* shift the existing data if necessary */
       if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
              memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
       }

       self->buf_begin = self->buffer;

       /* calculate the free space in the buffer */
       bytes_to_read = self->bufsize - self->bytes_in_buffer;

       /* read the required number of bytes */
       while (bytes_to_read > 0) {

              char *buf = self->buffer + self->bytes_in_buffer;

              actual_read = sapi_module.read_post(buf, bytes_to_read TSRMLS_CC);

              /* update the buffer length */
              if (actual_read > 0) {
                     self->bytes_in_buffer += actual_read;
                     SG(read_post_bytes) += actual_read;
                     total_read += actual_read;
                     bytes_to_read -= actual_read;
              } else {
                     break;
              }
       }

       return total_read;
}
static int find_boundary ( multipart_buffer self,
char *boundary  TSRMLS_DC 
) [static]

Definition at line 444 of file rfc1867.c.

{
       char *line;

       /* loop thru lines */
       while( (line = get_line(self TSRMLS_CC)) )
       {
              /* finished if we found the boundary */
              if (!strcmp(line, boundary)) {
                     return 1;
              }
       }

       /* didn't find the boundary */
       return 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static char* get_line ( multipart_buffer *self  TSRMLS_DC) [static]

Definition at line 420 of file rfc1867.c.

{
       char* ptr = next_line(self);

       if (!ptr) {
              fill_buffer(self TSRMLS_CC);
              ptr = next_line(self);
       }

       return ptr;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static zend_bool is_protected_variable ( char *varname  TSRMLS_DC) [static]

Definition at line 222 of file rfc1867.c.

{
       normalize_protected_variable(varname TSRMLS_CC);
       return zend_hash_exists(&PG(rfc1867_protected_variables), varname, strlen(varname)+1);
}

Here is the call graph for this function:

Here is the caller graph for this function:

static int multipart_buffer_eof ( multipart_buffer *self  TSRMLS_DC) [static]

Definition at line 344 of file rfc1867.c.

{
       if ( (self->bytes_in_buffer == 0 && fill_buffer(self TSRMLS_CC) < 1) ) {
              return 1;
       } else {
              return 0;
       }
}

Here is the call graph for this function:

Here is the caller graph for this function:

static int multipart_buffer_headers ( multipart_buffer self,
zend_llist *header  TSRMLS_DC 
) [static]

Definition at line 462 of file rfc1867.c.

{
       char *line;
       mime_header_entry prev_entry, entry;
       int prev_len, cur_len;

       /* didn't find boundary, abort */
       if (!find_boundary(self, self->boundary TSRMLS_CC)) {
              return 0;
       }

       /* get lines of text, or CRLF_CRLF */

       while( (line = get_line(self TSRMLS_CC)) && strlen(line) > 0 )
       {
              /* add header to table */
              char *key = line;
              char *value = NULL;

              /* space in the beginning means same header */
              if (!isspace(line[0])) {
                     value = strchr(line, ':');
              }

              if (value) {
                     *value = 0;
                     do { value++; } while(isspace(*value));

                     entry.value = estrdup(value);
                     entry.key = estrdup(key);

              } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */

                     prev_len = strlen(prev_entry.value);
                     cur_len = strlen(line);

                     entry.value = emalloc(prev_len + cur_len + 1);
                     memcpy(entry.value, prev_entry.value, prev_len);
                     memcpy(entry.value + prev_len, line, cur_len);
                     entry.value[cur_len + prev_len] = '\0';

                     entry.key = estrdup(prev_entry.key);

                     zend_llist_remove_tail(header);
              } else {
                     continue;
              }

              zend_llist_add_element(header, &entry);
              prev_entry = entry;
       }

       return 1;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static multipart_buffer* multipart_buffer_new ( char *  boundary,
int  boundary_len 
) [static]

Definition at line 354 of file rfc1867.c.

{
       multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));

       int minsize = boundary_len + 6;
       if (minsize < FILLUNIT) minsize = FILLUNIT;

       self->buffer = (char *) ecalloc(1, minsize + 1);
       self->bufsize = minsize;

       spprintf(&self->boundary, 0, "--%s", boundary);

       self->boundary_next_len = spprintf(&self->boundary_next, 0, "\n--%s", boundary);

       self->buf_begin = self->buffer;
       self->bytes_in_buffer = 0;

       return self;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static int multipart_buffer_read ( multipart_buffer self,
char *  buf,
int  bytes,
int *end  TSRMLS_DC 
) [static]

Definition at line 692 of file rfc1867.c.

{
       int len, max;
       char *bound;

       /* fill buffer if needed */
       if (bytes > self->bytes_in_buffer) {
              fill_buffer(self TSRMLS_CC);
       }

       /* look for a potential boundary match, only read data up to that point */
       if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
              max = bound - self->buf_begin;
              if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
                     *end = 1;
              }
       } else {
              max = self->bytes_in_buffer;
       }

       /* maximum number of bytes we are reading */
       len = max < bytes-1 ? max : bytes-1;

       /* if we read any data... */
       if (len > 0) {

              /* copy the data */
              memcpy(buf, self->buf_begin, len);
              buf[len] = 0;

              if (bound && len > 0 && buf[len-1] == '\r') {
                     buf[--len] = 0;
              }

              /* update the buffer */
              self->bytes_in_buffer -= len;
              self->buf_begin += len;
       }

       return len;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static char* multipart_buffer_read_body ( multipart_buffer self,
unsigned int *len  TSRMLS_DC 
) [static]

Definition at line 738 of file rfc1867.c.

{
       char buf[FILLUNIT], *out=NULL;
       int total_bytes=0, read_bytes=0;

       while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
              out = erealloc(out, total_bytes + read_bytes + 1);
              memcpy(out + total_bytes, buf, read_bytes);
              total_bytes += read_bytes;
       }

       if (out) {
              out[total_bytes] = '\0';
       }
       *len = total_bytes;

       return out;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static char* next_line ( multipart_buffer self) [static]

Definition at line 385 of file rfc1867.c.

{
       /* look for LF in the data */
       char* line = self->buf_begin;
       char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);

       if (ptr) {    /* LF found */

              /* terminate the string, remove CRLF */
              if ((ptr - line) > 0 && *(ptr-1) == '\r') {
                     *(ptr-1) = 0;
              } else {
                     *ptr = 0;
              }

              /* bump the pointer */
              self->buf_begin = ptr + 1;
              self->bytes_in_buffer -= (self->buf_begin - line);

       } else {      /* no LF found */

              /* buffer isn't completely full, fail */
              if (self->bytes_in_buffer < self->bufsize) {
                     return NULL;
              }
              /* return entire buffer as a partial line */
              line[self->bufsize] = 0;
              self->buf_begin = ptr;
              self->bytes_in_buffer = 0;
       }

       return line;
}

Here is the caller graph for this function:

static void normalize_protected_variable ( char *varname  TSRMLS_DC) [static]

Definition at line 155 of file rfc1867.c.

{
       char *s = varname, *index = NULL, *indexend = NULL, *p;

       /* overjump leading space */
       while (*s == ' ') {
              s++;
       }

       /* and remove it */
       if (s != varname) {
              memmove(varname, s, strlen(s)+1);
       }

       for (p = varname; *p && *p != '['; p++) {
              switch(*p) {
                     case ' ':
                     case '.':
                            *p = '_';
                            break;
              }
       }

       /* find index */
       index = strchr(varname, '[');
       if (index) {
              index++;
              s = index;
       } else {
              return;
       }

       /* done? */
       while (index) {
              while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
                     index++;
              }
              indexend = strchr(index, ']');
              indexend = indexend ? indexend + 1 : index + strlen(index);

              if (s != index) {
                     memmove(s, index, strlen(index)+1);
                     s += indexend-index;
              } else {
                     s = indexend;
              }

              if (*s == '[') {
                     s++;
                     index = s;
              } else {
                     index = NULL;
              }
       }
       *s = '\0';
}

Here is the caller graph for this function:

static char* php_ap_getword ( char **  line,
char  stop 
) [static]

Definition at line 536 of file rfc1867.c.

{
       char *pos = *line, quote;
       char *res;

       while (*pos && *pos != stop) {
              if ((quote = *pos) == '"' || quote == '\'') {
                     ++pos;
                     while (*pos && *pos != quote) {
                            if (*pos == '\\' && pos[1] && pos[1] == quote) {
                                   pos += 2;
                            } else {
                                   ++pos;
                            }
                     }
                     if (*pos) {
                            ++pos;
                     }
              } else ++pos;
       }
       if (*pos == '\0') {
              res = estrdup(*line);
              *line += strlen(*line);
              return res;
       }

       res = estrndup(*line, pos - *line);

       while (*pos == stop) {
              ++pos;
       }

       *line = pos;
       return res;
}

Here is the caller graph for this function:

static char* php_ap_getword_conf ( char **line  TSRMLS_DC) [static]

Definition at line 602 of file rfc1867.c.

{
       char *str = *line, *strend, *res, quote;

#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
       if (php_mb_encoding_translation(TSRMLS_C)) {
              int len=strlen(str);
              php_mb_gpc_encoding_detector(&str, &len, 1, NULL TSRMLS_CC);
       }
#endif

       while (*str && isspace(*str)) {
              ++str;
       }

       if (!*str) {
              *line = str;
              return estrdup("");
       }

       if ((quote = *str) == '"' || quote == '\'') {
              strend = str + 1;
look_for_quote:
              while (*strend && *strend != quote) {
                     if (*strend == '\\' && strend[1] && strend[1] == quote) {
                            strend += 2;
                     } else {
                            ++strend;
                     }
              }
              if (*strend && *strend == quote) {
                     char p = *(strend + 1);
                     if (p != '\r' && p != '\n' && p != '\0') {
                            strend++;
                            goto look_for_quote;
                     }
              }

              res = substring_conf(str + 1, strend - str - 1, quote TSRMLS_CC);

              if (*strend == quote) {
                     ++strend;
              }

       } else {

              strend = str;
              while (*strend && !isspace(*strend)) {
                     ++strend;
              }
              res = substring_conf(str, strend - str, 0 TSRMLS_CC);
       }

       while (*strend && isspace(*strend)) {
              ++strend;
       }

       *line = strend;
       return res;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void* php_ap_memstr ( char *  haystack,
int  haystacklen,
char *  needle,
int  needlen,
int  partial 
) [static]

Definition at line 668 of file rfc1867.c.

{
       int len = haystacklen;
       char *ptr = haystack;

       /* iterate through first character matches */
       while( (ptr = memchr(ptr, needle[0], len)) ) {

              /* calculate length after match */
              len = haystacklen - (ptr - (char *)haystack);

              /* done if matches up to capacity of buffer */
              if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
                     break;
              }

              /* next character */
              ptr++; len--;
       }

       return ptr;
}

Here is the caller graph for this function:

static void php_free_hdr_entry ( mime_header_entry h) [static]

Definition at line 433 of file rfc1867.c.

{
       if (h->key) {
              efree(h->key);
       }
       if (h->value) {
              efree(h->value);
       }
}

Here is the caller graph for this function:

static char* php_mime_get_hdr_value ( zend_llist  header,
char *  key 
) [static]

Definition at line 517 of file rfc1867.c.

{
       mime_header_entry *entry;

       if (key == NULL) {
              return NULL;
       }

       entry = zend_llist_get_first(&header);
       while (entry) {
              if (!strcasecmp(entry->key, key)) {
                     return entry->value;
              }
              entry = zend_llist_get_next(&header);
       }

       return NULL;
}

Here is the caller graph for this function:

static void register_http_post_files_variable ( char *  strvar,
char *  val,
zval *  http_post_files,
zend_bool override_protection  TSRMLS_DC 
) [static]

Definition at line 245 of file rfc1867.c.

{
       int register_globals = PG(register_globals);

       PG(register_globals) = 0;
       safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection TSRMLS_CC);
       PG(register_globals) = register_globals;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void register_http_post_files_variable_ex ( char *  var,
zval *  val,
zval *  http_post_files,
zend_bool override_protection  TSRMLS_DC 
) [static]

Definition at line 255 of file rfc1867.c.

{
       int register_globals = PG(register_globals);

       PG(register_globals) = 0;
       safe_php_register_variable_ex(var, val, http_post_files, override_protection TSRMLS_CC);
       PG(register_globals) = register_globals;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void safe_php_register_variable ( char *  var,
char *  strval,
int  val_len,
zval *  track_vars_array,
zend_bool override_protection  TSRMLS_DC 
) [static]

Definition at line 229 of file rfc1867.c.

{
       if (override_protection || !is_protected_variable(var TSRMLS_CC)) {
              php_register_variable_safe(var, strval, val_len, track_vars_array TSRMLS_CC);
       }
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void safe_php_register_variable_ex ( char *  var,
zval *  val,
zval *  track_vars_array,
zend_bool override_protection  TSRMLS_DC 
) [static]

Definition at line 237 of file rfc1867.c.

{
       if (override_protection || !is_protected_variable(var TSRMLS_CC)) {
              php_register_variable_ex(var, val, track_vars_array TSRMLS_CC);
       }
}

Here is the call graph for this function:

Here is the caller graph for this function:

SAPI_API SAPI_POST_HANDLER_FUNC ( rfc1867_post_handler  )

Definition at line 763 of file rfc1867.c.

{
       char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
       char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
       int boundary_len = 0, total_bytes = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
       int max_file_size = 0, skip_upload = 0, anonindex = 0, is_anonymous;
       zval *http_post_files = NULL;
       HashTable *uploaded_files = NULL;
#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
       int str_len = 0, num_vars = 0, num_vars_max = 2*10, *len_list = NULL;
       char **val_list = NULL;
#endif
       multipart_buffer *mbuff;
       zval *array_ptr = (zval *) arg;
       int fd = -1;
       zend_llist header;
       void *event_extra_data = NULL;
       int llen = 0;
       int upload_cnt = INI_INT("max_file_uploads");

       if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
              sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
              return;
       }

       /* Get the boundary */
       boundary = strstr(content_type_dup, "boundary");
       if (!boundary) {
              int content_type_len = strlen(content_type_dup);
              char *content_type_lcase = estrndup(content_type_dup, content_type_len);

              php_strtolower(content_type_lcase, content_type_len);
              boundary = strstr(content_type_lcase, "boundary");
              if (boundary) {
                     boundary = content_type_dup + (boundary - content_type_lcase);
              }
              efree(content_type_lcase);
       }

       if (!boundary || !(boundary = strchr(boundary, '='))) {
              sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
              return;
       }

       boundary++;
       boundary_len = strlen(boundary);

       if (boundary[0] == '"') {
              boundary++;
              boundary_end = strchr(boundary, '"');
              if (!boundary_end) {
                     sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
                     return;
              }
       } else {
              /* search for the end of the boundary */
              boundary_end = strpbrk(boundary, ",;");
       }
       if (boundary_end) {
              boundary_end[0] = '\0';
              boundary_len = boundary_end-boundary;
       }

       /* Initialize the buffer */
       if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
              sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
              return;
       }

       /* Initialize $_FILES[] */
       zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0);

       ALLOC_HASHTABLE(uploaded_files);
       zend_hash_init(uploaded_files, 5, NULL, (dtor_func_t) free_estring, 0);
       SG(rfc1867_uploaded_files) = uploaded_files;

       ALLOC_ZVAL(http_post_files);
       array_init(http_post_files);
       INIT_PZVAL(http_post_files);
       PG(http_globals)[TRACK_VARS_FILES] = http_post_files;

#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
       if (php_mb_encoding_translation(TSRMLS_C)) {
              val_list = (char **)ecalloc(num_vars_max+2, sizeof(char *));
              len_list = (int *)ecalloc(num_vars_max+2, sizeof(int));
       }
#endif
       zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);

       if (php_rfc1867_callback != NULL) {
              multipart_event_start event_start;

              event_start.content_length = SG(request_info).content_length;
              if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data TSRMLS_CC) == FAILURE) {
                     goto fileupload_done;
              }
       }

       while (!multipart_buffer_eof(mbuff TSRMLS_CC))
       {
              char buff[FILLUNIT];
              char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
              size_t blen = 0, wlen = 0;
              off_t offset;

              zend_llist_clean(&header);

              if (!multipart_buffer_headers(mbuff, &header TSRMLS_CC)) {
                     goto fileupload_done;
              }

              if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
                     char *pair = NULL;
                     int end = 0;

                     while (isspace(*cd)) {
                            ++cd;
                     }

                     while (*cd && (pair = php_ap_getword(&cd, ';')))
                     {
                            char *key = NULL, *word = pair;

                            while (isspace(*cd)) {
                                   ++cd;
                            }

                            if (strchr(pair, '=')) {
                                   key = php_ap_getword(&pair, '=');

                                   if (!strcasecmp(key, "name")) {
                                          if (param) {
                                                 efree(param);
                                          }
                                          param = php_ap_getword_conf(&pair TSRMLS_CC);
                                   } else if (!strcasecmp(key, "filename")) {
                                          if (filename) {
                                                 efree(filename);
                                          }
                                          filename = php_ap_getword_conf(&pair TSRMLS_CC);
                                   }
                            }
                            if (key) {
                                   efree(key);
                            }
                            efree(word);
                     }

                     /* Normal form variable, safe to read all data into memory */
                     if (!filename && param) {
                            unsigned int value_len;
                            char *value = multipart_buffer_read_body(mbuff, &value_len TSRMLS_CC);
                            unsigned int new_val_len; /* Dummy variable */

                            if (!value) {
                                   value = estrdup("");
                            }

                            if (sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
                                   if (php_rfc1867_callback != NULL) {
                                          multipart_event_formdata event_formdata;
                                          size_t newlength = new_val_len;

                                          event_formdata.post_bytes_processed = SG(read_post_bytes);
                                          event_formdata.name = param;
                                          event_formdata.value = &value;
                                          event_formdata.length = new_val_len;
                                          event_formdata.newlength = &newlength;
                                          if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC) == FAILURE) {
                                                 efree(param);
                                                 efree(value);
                                                 continue;
                                          }
                                          new_val_len = newlength;
                                   }

#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
                                   if (php_mb_encoding_translation(TSRMLS_C)) {
                                          php_mb_gpc_stack_variable(param, value, &val_list, &len_list, &num_vars, &num_vars_max TSRMLS_CC);
                                   } else {
                                          safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC);
                                   }
#else
                                   safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC);
#endif
                            } else if (php_rfc1867_callback != NULL) {
                                   multipart_event_formdata event_formdata;

                                   event_formdata.post_bytes_processed = SG(read_post_bytes);
                                   event_formdata.name = param;
                                   event_formdata.value = &value;
                                   event_formdata.length = value_len;
                                   event_formdata.newlength = NULL;
                                   php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
                            }

                            if (!strcasecmp(param, "MAX_FILE_SIZE")) {
                                   max_file_size = atol(value);
                            }

                            efree(param);
                            efree(value);
                            continue;
                     }

                     /* If file_uploads=off, skip the file part */
                     if (!PG(file_uploads)) {
                            skip_upload = 1;
                     } else if (upload_cnt <= 0) {
                            skip_upload = 1;
                            sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
                     }

                     /* Return with an error if the posted data is garbled */
                     if (!param && !filename) {
                            sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
                            goto fileupload_done;
                     }

                     if (!param) {
                            is_anonymous = 1;
                            param = emalloc(MAX_SIZE_ANONNAME);
                            snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
                     } else {
                            is_anonymous = 0;
                     }

                     /* New Rule: never repair potential malicious user input */
                     if (!skip_upload) {
                            long c = 0;
                            tmp = param;

                            while (*tmp) {
                                   if (*tmp == '[') {
                                          c++;
                                   } else if (*tmp == ']') {
                                          c--;
                                          if (tmp[1] && tmp[1] != '[') {
                                                 skip_upload = 1;
                                                 break;
                                          }
                                   }
                                   if (c < 0) {
                                          skip_upload = 1;
                                          break;
                                   }
                                   tmp++;
                            }
                     }

                     total_bytes = cancel_upload = 0;
                     temp_filename = NULL;
                     fd = -1;

                     if (!skip_upload && php_rfc1867_callback != NULL) {
                            multipart_event_file_start event_file_start;

                            event_file_start.post_bytes_processed = SG(read_post_bytes);
                            event_file_start.name = param;
                            event_file_start.filename = &filename;
                            if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data TSRMLS_CC) == FAILURE) {
                                   temp_filename = "";
                                   efree(param);
                                   efree(filename);
                                   continue;
                            }
                     }

                     if (skip_upload) {
                            efree(param);
                            efree(filename);
                            continue;
                     }

                     if (strlen(filename) == 0) {
#if DEBUG_FILE_UPLOAD
                            sapi_module.sapi_error(E_NOTICE, "No file uploaded");
#endif
                            cancel_upload = UPLOAD_ERROR_D;
                     }

                     offset = 0;
                     end = 0;
                     
                     if (!cancel_upload) {
                            /* only bother to open temp file if we have data */
                            blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
#if DEBUG_FILE_UPLOAD
                            if (blen > 0) {
#else
                            /* in non-debug mode we have no problem with 0-length files */
                            {
#endif
                                   fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
                                   upload_cnt--;
                                   if (fd == -1) {
                                          sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
                                          cancel_upload = UPLOAD_ERROR_E;
                                   }
                            }
                     }

                     while (!cancel_upload && (blen > 0))
                     {
                            if (php_rfc1867_callback != NULL) {
                                   multipart_event_file_data event_file_data;

                                   event_file_data.post_bytes_processed = SG(read_post_bytes);
                                   event_file_data.offset = offset;
                                   event_file_data.data = buff;
                                   event_file_data.length = blen;
                                   event_file_data.newlength = &blen;
                                   if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data TSRMLS_CC) == FAILURE) {
                                          cancel_upload = UPLOAD_ERROR_X;
                                          continue;
                                   }
                            }

                            if (PG(upload_max_filesize) > 0 && (total_bytes+blen) > PG(upload_max_filesize)) {
#if DEBUG_FILE_UPLOAD
                                   sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
#endif
                                   cancel_upload = UPLOAD_ERROR_A;
                            } else if (max_file_size && ((total_bytes+blen) > max_file_size)) {
#if DEBUG_FILE_UPLOAD
                                   sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
#endif
                                   cancel_upload = UPLOAD_ERROR_B;
                            } else if (blen > 0) {
                                   wlen = write(fd, buff, blen);

                                   if (wlen == -1) {
                                          /* write failed */
#if DEBUG_FILE_UPLOAD
                                          sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
#endif
                                          cancel_upload = UPLOAD_ERROR_F;
                                   } else if (wlen < blen) {
#if DEBUG_FILE_UPLOAD
                                          sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
#endif
                                          cancel_upload = UPLOAD_ERROR_F;
                                   } else {
                                          total_bytes += wlen;
                                   }
                                   offset += wlen;
                            }

                            /* read data for next iteration */
                            blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
                     }

                     if (fd != -1) { /* may not be initialized if file could not be created */
                            close(fd);
                     }

                     if (!cancel_upload && !end) {
#if DEBUG_FILE_UPLOAD
                            sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", strlen(filename) > 0 ? filename : "");
#endif
                            cancel_upload = UPLOAD_ERROR_C;
                     }
#if DEBUG_FILE_UPLOAD
                     if (strlen(filename) > 0 && total_bytes == 0 && !cancel_upload) {
                            sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
                            cancel_upload = 5;
                     }
#endif
                     if (php_rfc1867_callback != NULL) {
                            multipart_event_file_end event_file_end;

                            event_file_end.post_bytes_processed = SG(read_post_bytes);
                            event_file_end.temp_filename = temp_filename;
                            event_file_end.cancel_upload = cancel_upload;
                            if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data TSRMLS_CC) == FAILURE) {
                                   cancel_upload = UPLOAD_ERROR_X;
                            }
                     }

                     if (cancel_upload) {
                            if (temp_filename) {
                                   if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
                                          unlink(temp_filename);
                                   }
                                   efree(temp_filename);
                            }
                            temp_filename = "";
                     } else {
                            zend_hash_add(SG(rfc1867_uploaded_files), temp_filename, strlen(temp_filename) + 1, &temp_filename, sizeof(char *), NULL);
                     }

                     /* is_arr_upload is true when name of file upload field
                      * ends in [.*]
                      * start_arr is set to point to 1st [ */
                     is_arr_upload =      (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');

                     if (is_arr_upload) {
                            array_len = strlen(start_arr);
                            if (array_index) {
                                   efree(array_index);
                            }
                            array_index = estrndup(start_arr + 1, array_len - 2);
                     }

                     /* Add $foo_name */
                     if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
                            llen = strlen(param);
                            lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
                            llen += MAX_SIZE_OF_INDEX + 1;
                     }

                     if (is_arr_upload) {
                            if (abuf) efree(abuf);
                            abuf = estrndup(param, strlen(param)-array_len);
                            snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
                     } else {
                            snprintf(lbuf, llen, "%s_name", param);
                     }

#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
                     if (php_mb_encoding_translation(TSRMLS_C)) {
                            if (num_vars >= num_vars_max) {
                                   php_mb_gpc_realloc_buffer(&val_list, &len_list, &num_vars_max, 1 TSRMLS_CC);
                            }
                            val_list[num_vars] = filename;
                            len_list[num_vars] = strlen(filename);
                            num_vars++;
                            if (php_mb_gpc_encoding_detector(val_list, len_list, num_vars, NULL TSRMLS_CC) == SUCCESS) {
                                   str_len = strlen(filename);
                                   php_mb_gpc_encoding_converter(&filename, &str_len, 1, NULL, NULL TSRMLS_CC);
                            }
                            s = php_mb_strrchr(filename, '\\' TSRMLS_CC);
                            if ((tmp = php_mb_strrchr(filename, '/' TSRMLS_CC)) > s) {
                                   s = tmp;
                            }
                            num_vars--;
                            goto filedone;
                     }
#endif
                     /* The \ check should technically be needed for win32 systems only where
                      * it is a valid path separator. However, IE in all it's wisdom always sends
                      * the full path of the file on the user's filesystem, which means that unless
                      * the user does basename() they get a bogus file name. Until IE's user base drops
                      * to nill or problem is fixed this code must remain enabled for all systems. */
                     s = strrchr(filename, '\\');
                     if ((tmp = strrchr(filename, '/')) > s) {
                            s = tmp;
                     }
#ifdef PHP_WIN32
                     if (PG(magic_quotes_gpc)) {
                            if ((tmp = strrchr(s ? s : filename, '\'')) > s) {
                                   s = tmp;
                            }
                            if ((tmp = strrchr(s ? s : filename, '"')) > s) {
                                   s = tmp;
                            }
                     }
#endif

#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
filedone:
#endif

                     if (!is_anonymous) {
                            if (s && s >= filename) {
                                   safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
                            } else {
                                   safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
                            }
                     }

                     /* Add $foo[name] */
                     if (is_arr_upload) {
                            snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
                     } else {
                            snprintf(lbuf, llen, "%s[name]", param);
                     }
                     if (s && s >= filename) {
                            register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
                     } else {
                            register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);
                     }
                     efree(filename);
                     s = NULL;

                     /* Possible Content-Type: */
                     if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
                            cd = "";
                     } else {
                            /* fix for Opera 6.01 */
                            s = strchr(cd, ';');
                            if (s != NULL) {
                                   *s = '\0';
                            }
                     }

                     /* Add $foo_type */
                     if (is_arr_upload) {
                            snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index);
                     } else {
                            snprintf(lbuf, llen, "%s_type", param);
                     }
                     if (!is_anonymous) {
                            safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0 TSRMLS_CC);
                     }

                     /* Add $foo[type] */
                     if (is_arr_upload) {
                            snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
                     } else {
                            snprintf(lbuf, llen, "%s[type]", param);
                     }
                     register_http_post_files_variable(lbuf, cd, http_post_files, 0 TSRMLS_CC);

                     /* Restore Content-Type Header */
                     if (s != NULL) {
                            *s = ';';
                     }
                     s = "";

                     {
                            /* store temp_filename as-is (without magic_quotes_gpc-ing it, in case upload_tmp_dir
                             * contains escapeable characters. escape only the variable name.) */
                            zval zfilename;

                            /* Initialize variables */
                            add_protected_variable(param TSRMLS_CC);

                            /* if param is of form xxx[.*] this will cut it to xxx */
                            if (!is_anonymous) {
                                   ZVAL_STRING(&zfilename, temp_filename, 1);
                                   safe_php_register_variable_ex(param, &zfilename, NULL, 1 TSRMLS_CC);
                            }

                            /* Add $foo[tmp_name] */
                            if (is_arr_upload) {
                                   snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
                            } else {
                                   snprintf(lbuf, llen, "%s[tmp_name]", param);
                            }
                            add_protected_variable(lbuf TSRMLS_CC);
                            ZVAL_STRING(&zfilename, temp_filename, 1);
                            register_http_post_files_variable_ex(lbuf, &zfilename, http_post_files, 1 TSRMLS_CC);
                     }

                     {
                            zval file_size, error_type;

                            error_type.value.lval = cancel_upload;
                            error_type.type = IS_LONG;

                            /* Add $foo[error] */
                            if (cancel_upload) {
                                   file_size.value.lval = 0;
                                   file_size.type = IS_LONG;
                            } else {
                                   file_size.value.lval = total_bytes;
                                   file_size.type = IS_LONG;
                            }

                            if (is_arr_upload) {
                                   snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
                            } else {
                                   snprintf(lbuf, llen, "%s[error]", param);
                            }
                            register_http_post_files_variable_ex(lbuf, &error_type, http_post_files, 0 TSRMLS_CC);

                            /* Add $foo_size */
                            if (is_arr_upload) {
                                   snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index);
                            } else {
                                   snprintf(lbuf, llen, "%s_size", param);
                            }
                            if (!is_anonymous) {
                                   safe_php_register_variable_ex(lbuf, &file_size, NULL, 0 TSRMLS_CC);
                            }

                            /* Add $foo[size] */
                            if (is_arr_upload) {
                                   snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
                            } else {
                                   snprintf(lbuf, llen, "%s[size]", param);
                            }
                            register_http_post_files_variable_ex(lbuf, &file_size, http_post_files, 0 TSRMLS_CC);
                     }
                     efree(param);
              }
       }

fileupload_done:
       if (php_rfc1867_callback != NULL) {
              multipart_event_end event_end;

              event_end.post_bytes_processed = SG(read_post_bytes);
              php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data TSRMLS_CC);
       }

       SAFE_RETURN;
}

Here is the call graph for this function:

static char* substring_conf ( char *  start,
int  len,
char quote  TSRMLS_DC 
) [static]

Definition at line 572 of file rfc1867.c.

{
       char *result = emalloc(len + 2);
       char *resp = result;
       int i;

       for (i = 0; i < len; ++i) {
              if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
                     *resp++ = start[++i];
              } else {
#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
                     if (php_mb_encoding_translation(TSRMLS_C)) {
                            size_t j = php_mb_gpc_mbchar_bytes(start+i TSRMLS_CC);
                            while (j-- > 0 && i < len) {
                                   *resp++ = start[i++];
                            }
                            --i;
                     } else {
                            *resp++ = start[i];
                     }
#else
                     *resp++ = start[i];
#endif
              }
       }

       *resp = '\0';
       return result;
}

Here is the caller graph for this function:

static int unlink_filename ( char **filename  TSRMLS_DC) [static]

Definition at line 265 of file rfc1867.c.

{
       VCWD_UNLINK(*filename);
       return 0;
}

Here is the caller graph for this function:


Variable Documentation

PHPAPI int(* php_rfc1867_callback)(unsigned int event, void *event_data, void **extra TSRMLS_DC) = NULL

Definition at line 39 of file rfc1867.c.