1/*
2   +----------------------------------------------------------------------+
3   | PHP Version 5                                                        |
4   +----------------------------------------------------------------------+
5   | Copyright (c) 1997-2014 The PHP Group                                |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Rasmus Lerdorf <rasmus@php.net>                             |
16   |          Jani Taskinen <jani@php.net>                                |
17   +----------------------------------------------------------------------+
18 */
19
20/* $Id$ */
21
22/*
23 *  This product includes software developed by the Apache Group
24 *  for use in the Apache HTTP server project (http://www.apache.org/).
25 *
26 */
27
28#include <stdio.h>
29#include "php.h"
30#include "php_open_temporary_file.h"
31#include "zend_globals.h"
32#include "php_globals.h"
33#include "php_variables.h"
34#include "rfc1867.h"
35#include "ext/standard/php_string.h"
36
37#if defined(PHP_WIN32) && !defined(HAVE_ATOLL)
38# define atoll(s) _atoi64(s)
39# define HAVE_ATOLL 1
40#endif
41
42#define DEBUG_FILE_UPLOAD ZEND_DEBUG
43
44static int dummy_encoding_translation(TSRMLS_D)
45{
46    return 0;
47}
48
49static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop TSRMLS_DC);
50static char *php_ap_getword_conf(const zend_encoding *encoding, char *str TSRMLS_DC);
51
52static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
53static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
54static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
55static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
56static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
57static php_rfc1867_basename_t php_rfc1867_basename = NULL;
58
59PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra TSRMLS_DC) = NULL;
60
61static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC);
62
63/* The longest property name we use in an uploaded file array */
64#define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
65
66/* The longest anonymous name */
67#define MAX_SIZE_ANONNAME 33
68
69/* Errors */
70#define UPLOAD_ERROR_OK   0  /* File upload successful */
71#define UPLOAD_ERROR_A    1  /* Uploaded file exceeded upload_max_filesize */
72#define UPLOAD_ERROR_B    2  /* Uploaded file exceeded MAX_FILE_SIZE */
73#define UPLOAD_ERROR_C    3  /* Partially uploaded */
74#define UPLOAD_ERROR_D    4  /* No file uploaded */
75#define UPLOAD_ERROR_E    6  /* Missing /tmp or similar directory */
76#define UPLOAD_ERROR_F    7  /* Failed to write file to disk */
77#define UPLOAD_ERROR_X    8  /* File upload stopped by extension */
78
79void php_rfc1867_register_constants(TSRMLS_D) /* {{{ */
80{
81    REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK",         UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT);
82    REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE",   UPLOAD_ERROR_A,  CONST_CS | CONST_PERSISTENT);
83    REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE",  UPLOAD_ERROR_B,  CONST_CS | CONST_PERSISTENT);
84    REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL",    UPLOAD_ERROR_C,  CONST_CS | CONST_PERSISTENT);
85    REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE",    UPLOAD_ERROR_D,  CONST_CS | CONST_PERSISTENT);
86    REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E,  CONST_CS | CONST_PERSISTENT);
87    REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F,  CONST_CS | CONST_PERSISTENT);
88    REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION",  UPLOAD_ERROR_X,  CONST_CS | CONST_PERSISTENT);
89}
90/* }}} */
91
92static void normalize_protected_variable(char *varname TSRMLS_DC) /* {{{ */
93{
94    char *s = varname, *index = NULL, *indexend = NULL, *p;
95
96    /* overjump leading space */
97    while (*s == ' ') {
98        s++;
99    }
100
101    /* and remove it */
102    if (s != varname) {
103        memmove(varname, s, strlen(s)+1);
104    }
105
106    for (p = varname; *p && *p != '['; p++) {
107        switch(*p) {
108            case ' ':
109            case '.':
110                *p = '_';
111                break;
112        }
113    }
114
115    /* find index */
116    index = strchr(varname, '[');
117    if (index) {
118        index++;
119        s = index;
120    } else {
121        return;
122    }
123
124    /* done? */
125    while (index) {
126        while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
127            index++;
128        }
129        indexend = strchr(index, ']');
130        indexend = indexend ? indexend + 1 : index + strlen(index);
131
132        if (s != index) {
133            memmove(s, index, strlen(index)+1);
134            s += indexend-index;
135        } else {
136            s = indexend;
137        }
138
139        if (*s == '[') {
140            s++;
141            index = s;
142        } else {
143            index = NULL;
144        }
145    }
146    *s = '\0';
147}
148/* }}} */
149
150static void add_protected_variable(char *varname TSRMLS_DC) /* {{{ */
151{
152    normalize_protected_variable(varname TSRMLS_CC);
153    zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname));
154}
155/* }}} */
156
157static zend_bool is_protected_variable(char *varname TSRMLS_DC) /* {{{ */
158{
159    normalize_protected_variable(varname TSRMLS_CC);
160    return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname));
161}
162/* }}} */
163
164static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC) /* {{{ */
165{
166    if (override_protection || !is_protected_variable(var TSRMLS_CC)) {
167        php_register_variable_safe(var, strval, val_len, track_vars_array TSRMLS_CC);
168    }
169}
170/* }}} */
171
172static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection TSRMLS_DC) /* {{{ */
173{
174    if (override_protection || !is_protected_variable(var TSRMLS_CC)) {
175        php_register_variable_ex(var, val, track_vars_array TSRMLS_CC);
176    }
177}
178/* }}} */
179
180static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC) /* {{{ */
181{
182    safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection TSRMLS_CC);
183}
184/* }}} */
185
186static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC) /* {{{ */
187{
188    safe_php_register_variable_ex(var, val, http_post_files, override_protection TSRMLS_CC);
189}
190/* }}} */
191
192static int unlink_filename(zval *el TSRMLS_DC) /* {{{ */
193{
194    char *filename = (char*)Z_PTR_P(el);
195    VCWD_UNLINK(filename);
196    return 0;
197}
198/* }}} */
199
200
201static void free_filename(zval *el) {
202    char *filename = (char*)Z_PTR_P(el);
203    efree(filename);
204}
205
206void destroy_uploaded_files_hash(TSRMLS_D) /* {{{ */
207{
208    zend_hash_apply(SG(rfc1867_uploaded_files), unlink_filename TSRMLS_CC);
209    zend_hash_destroy(SG(rfc1867_uploaded_files));
210    FREE_HASHTABLE(SG(rfc1867_uploaded_files));
211}
212/* }}} */
213
214/* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
215
216#define FILLUNIT (1024 * 5)
217
218typedef struct {
219
220    /* read buffer */
221    char *buffer;
222    char *buf_begin;
223    int  bufsize;
224    int  bytes_in_buffer;
225
226    /* boundary info */
227    char *boundary;
228    char *boundary_next;
229    int  boundary_next_len;
230
231    const zend_encoding *input_encoding;
232    const zend_encoding **detect_order;
233    size_t detect_order_size;
234} multipart_buffer;
235
236typedef struct {
237    char *key;
238    char *value;
239} mime_header_entry;
240
241/*
242 * Fill up the buffer with client data.
243 * Returns number of bytes added to buffer.
244 */
245static int fill_buffer(multipart_buffer *self TSRMLS_DC)
246{
247    int bytes_to_read, total_read = 0, actual_read = 0;
248
249    /* shift the existing data if necessary */
250    if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
251        memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
252    }
253
254    self->buf_begin = self->buffer;
255
256    /* calculate the free space in the buffer */
257    bytes_to_read = self->bufsize - self->bytes_in_buffer;
258
259    /* read the required number of bytes */
260    while (bytes_to_read > 0) {
261
262        char *buf = self->buffer + self->bytes_in_buffer;
263
264        actual_read = sapi_module.read_post(buf, bytes_to_read TSRMLS_CC);
265
266        /* update the buffer length */
267        if (actual_read > 0) {
268            self->bytes_in_buffer += actual_read;
269            SG(read_post_bytes) += actual_read;
270            total_read += actual_read;
271            bytes_to_read -= actual_read;
272        } else {
273            break;
274        }
275    }
276
277    return total_read;
278}
279
280/* eof if we are out of bytes, or if we hit the final boundary */
281static int multipart_buffer_eof(multipart_buffer *self TSRMLS_DC)
282{
283    if ( (self->bytes_in_buffer == 0 && fill_buffer(self TSRMLS_CC) < 1) ) {
284        return 1;
285    } else {
286        return 0;
287    }
288}
289
290/* create new multipart_buffer structure */
291static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len TSRMLS_DC)
292{
293    multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
294
295    int minsize = boundary_len + 6;
296    if (minsize < FILLUNIT) minsize = FILLUNIT;
297
298    self->buffer = (char *) ecalloc(1, minsize + 1);
299    self->bufsize = minsize;
300
301    spprintf(&self->boundary, 0, "--%s", boundary);
302
303    self->boundary_next_len = spprintf(&self->boundary_next, 0, "\n--%s", boundary);
304
305    self->buf_begin = self->buffer;
306    self->bytes_in_buffer = 0;
307
308    if (php_rfc1867_encoding_translation(TSRMLS_C)) {
309        php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size TSRMLS_CC);
310    } else {
311        self->detect_order = NULL;
312        self->detect_order_size = 0;
313    }
314
315    self->input_encoding = NULL;
316
317    return self;
318}
319
320/*
321 * Gets the next CRLF terminated line from the input buffer.
322 * If it doesn't find a CRLF, and the buffer isn't completely full, returns
323 * NULL; otherwise, returns the beginning of the null-terminated line,
324 * minus the CRLF.
325 *
326 * Note that we really just look for LF terminated lines. This works
327 * around a bug in internet explorer for the macintosh which sends mime
328 * boundaries that are only LF terminated when you use an image submit
329 * button in a multipart/form-data form.
330 */
331static char *next_line(multipart_buffer *self)
332{
333    /* look for LF in the data */
334    char* line = self->buf_begin;
335    char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
336
337    if (ptr) {  /* LF found */
338
339        /* terminate the string, remove CRLF */
340        if ((ptr - line) > 0 && *(ptr-1) == '\r') {
341            *(ptr-1) = 0;
342        } else {
343            *ptr = 0;
344        }
345
346        /* bump the pointer */
347        self->buf_begin = ptr + 1;
348        self->bytes_in_buffer -= (self->buf_begin - line);
349
350    } else {    /* no LF found */
351
352        /* buffer isn't completely full, fail */
353        if (self->bytes_in_buffer < self->bufsize) {
354            return NULL;
355        }
356        /* return entire buffer as a partial line */
357        line[self->bufsize] = 0;
358        self->buf_begin = ptr;
359        self->bytes_in_buffer = 0;
360    }
361
362    return line;
363}
364
365/* Returns the next CRLF terminated line from the client */
366static char *get_line(multipart_buffer *self TSRMLS_DC)
367{
368    char* ptr = next_line(self);
369
370    if (!ptr) {
371        fill_buffer(self TSRMLS_CC);
372        ptr = next_line(self);
373    }
374
375    return ptr;
376}
377
378/* Free header entry */
379static void php_free_hdr_entry(mime_header_entry *h)
380{
381    if (h->key) {
382        efree(h->key);
383    }
384    if (h->value) {
385        efree(h->value);
386    }
387}
388
389/* finds a boundary */
390static int find_boundary(multipart_buffer *self, char *boundary TSRMLS_DC)
391{
392    char *line;
393
394    /* loop thru lines */
395    while( (line = get_line(self TSRMLS_CC)) )
396    {
397        /* finished if we found the boundary */
398        if (!strcmp(line, boundary)) {
399            return 1;
400        }
401    }
402
403    /* didn't find the boundary */
404    return 0;
405}
406
407/* parse headers */
408static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC)
409{
410    char *line;
411    mime_header_entry prev_entry = {0}, entry;
412    int prev_len, cur_len;
413
414    /* didn't find boundary, abort */
415    if (!find_boundary(self, self->boundary TSRMLS_CC)) {
416        return 0;
417    }
418
419    /* get lines of text, or CRLF_CRLF */
420
421    while( (line = get_line(self TSRMLS_CC)) && line[0] != '\0' )
422    {
423        /* add header to table */
424        char *key = line;
425        char *value = NULL;
426
427        if (php_rfc1867_encoding_translation(TSRMLS_C)) {
428            self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
429        }
430
431        /* space in the beginning means same header */
432        if (!isspace(line[0])) {
433            value = strchr(line, ':');
434        }
435
436        if (value) {
437            *value = 0;
438            do { value++; } while(isspace(*value));
439
440            entry.value = estrdup(value);
441            entry.key = estrdup(key);
442
443        } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
444
445            prev_len = strlen(prev_entry.value);
446            cur_len = strlen(line);
447
448            entry.value = emalloc(prev_len + cur_len + 1);
449            memcpy(entry.value, prev_entry.value, prev_len);
450            memcpy(entry.value + prev_len, line, cur_len);
451            entry.value[cur_len + prev_len] = '\0';
452
453            entry.key = estrdup(prev_entry.key);
454
455            zend_llist_remove_tail(header);
456        } else {
457            continue;
458        }
459
460        zend_llist_add_element(header, &entry);
461        prev_entry = entry;
462    }
463
464    return 1;
465}
466
467static char *php_mime_get_hdr_value(zend_llist header, char *key)
468{
469    mime_header_entry *entry;
470
471    if (key == NULL) {
472        return NULL;
473    }
474
475    entry = zend_llist_get_first(&header);
476    while (entry) {
477        if (!strcasecmp(entry->key, key)) {
478            return entry->value;
479        }
480        entry = zend_llist_get_next(&header);
481    }
482
483    return NULL;
484}
485
486static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop TSRMLS_DC)
487{
488    char *pos = *line, quote;
489    char *res;
490
491    while (*pos && *pos != stop) {
492        if ((quote = *pos) == '"' || quote == '\'') {
493            ++pos;
494            while (*pos && *pos != quote) {
495                if (*pos == '\\' && pos[1] && pos[1] == quote) {
496                    pos += 2;
497                } else {
498                    ++pos;
499                }
500            }
501            if (*pos) {
502                ++pos;
503            }
504        } else ++pos;
505    }
506    if (*pos == '\0') {
507        res = estrdup(*line);
508        *line += strlen(*line);
509        return res;
510    }
511
512    res = estrndup(*line, pos - *line);
513
514    while (*pos == stop) {
515        ++pos;
516    }
517
518    *line = pos;
519    return res;
520}
521
522static char *substring_conf(char *start, int len, char quote)
523{
524    char *result = emalloc(len + 1);
525    char *resp = result;
526    int i;
527
528    for (i = 0; i < len && start[i] != quote; ++i) {
529        if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
530            *resp++ = start[++i];
531        } else {
532            *resp++ = start[i];
533        }
534    }
535
536    *resp = '\0';
537    return result;
538}
539
540static char *php_ap_getword_conf(const zend_encoding *encoding, char *str TSRMLS_DC)
541{
542    while (*str && isspace(*str)) {
543        ++str;
544    }
545
546    if (!*str) {
547        return estrdup("");
548    }
549
550    if (*str == '"' || *str == '\'') {
551        char quote = *str;
552
553        str++;
554        return substring_conf(str, strlen(str), quote);
555    } else {
556        char *strend = str;
557
558        while (*strend && !isspace(*strend)) {
559            ++strend;
560        }
561        return substring_conf(str, strend - str, 0);
562    }
563}
564
565static char *php_ap_basename(const zend_encoding *encoding, char *path TSRMLS_DC)
566{
567    char *s = strrchr(path, '\\');
568    char *s2 = strrchr(path, '/');
569
570    if (s && s2) {
571        if (s > s2) {
572            ++s;
573        } else {
574            s = ++s2;
575        }
576        return s;
577    } else if (s) {
578        return ++s;
579    } else if (s2) {
580        return ++s2;
581    }
582    return path;
583}
584
585/*
586 * Search for a string in a fixed-length byte string.
587 * If partial is true, partial matches are allowed at the end of the buffer.
588 * Returns NULL if not found, or a pointer to the start of the first match.
589 */
590static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
591{
592    int len = haystacklen;
593    char *ptr = haystack;
594
595    /* iterate through first character matches */
596    while( (ptr = memchr(ptr, needle[0], len)) ) {
597
598        /* calculate length after match */
599        len = haystacklen - (ptr - (char *)haystack);
600
601        /* done if matches up to capacity of buffer */
602        if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
603            break;
604        }
605
606        /* next character */
607        ptr++; len--;
608    }
609
610    return ptr;
611}
612
613/* read until a boundary condition */
614static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end TSRMLS_DC)
615{
616    size_t len, max;
617    char *bound;
618
619    /* fill buffer if needed */
620    if (bytes > self->bytes_in_buffer) {
621        fill_buffer(self TSRMLS_CC);
622    }
623
624    /* look for a potential boundary match, only read data up to that point */
625    if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
626        max = bound - self->buf_begin;
627        if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
628            *end = 1;
629        }
630    } else {
631        max = self->bytes_in_buffer;
632    }
633
634    /* maximum number of bytes we are reading */
635    len = max < bytes-1 ? max : bytes-1;
636
637    /* if we read any data... */
638    if (len > 0) {
639
640        /* copy the data */
641        memcpy(buf, self->buf_begin, len);
642        buf[len] = 0;
643
644        if (bound && len > 0 && buf[len-1] == '\r') {
645            buf[--len] = 0;
646        }
647
648        /* update the buffer */
649        self->bytes_in_buffer -= len;
650        self->buf_begin += len;
651    }
652
653    return len;
654}
655
656/*
657  XXX: this is horrible memory-usage-wise, but we only expect
658  to do this on small pieces of form data.
659*/
660static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len TSRMLS_DC)
661{
662    char buf[FILLUNIT], *out=NULL;
663    int total_bytes=0, read_bytes=0;
664
665    while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
666        out = erealloc(out, total_bytes + read_bytes + 1);
667        memcpy(out + total_bytes, buf, read_bytes);
668        total_bytes += read_bytes;
669    }
670
671    if (out) {
672        out[total_bytes] = '\0';
673    }
674    *len = total_bytes;
675
676    return out;
677}
678/* }}} */
679
680/*
681 * The combined READER/HANDLER
682 *
683 */
684
685SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
686{
687    char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
688    char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
689    int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
690    int64_t total_bytes = 0, max_file_size = 0;
691    int skip_upload = 0, anonindex = 0, is_anonymous;
692    HashTable *uploaded_files = NULL;
693    multipart_buffer *mbuff;
694    zval *array_ptr = (zval *) arg;
695    int fd = -1;
696    zend_llist header;
697    void *event_extra_data = NULL;
698    unsigned int llen = 0;
699    int upload_cnt = INI_INT("max_file_uploads");
700    const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(TSRMLS_C);
701    php_rfc1867_getword_t getword;
702    php_rfc1867_getword_conf_t getword_conf;
703    php_rfc1867_basename_t _basename;
704    zend_long count = 0;
705
706    if (php_rfc1867_encoding_translation(TSRMLS_C) && internal_encoding) {
707        getword = php_rfc1867_getword;
708        getword_conf = php_rfc1867_getword_conf;
709        _basename = php_rfc1867_basename;
710    } else {
711        getword = php_ap_getword;
712        getword_conf = php_ap_getword_conf;
713        _basename = php_ap_basename;
714    }
715
716    if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
717        sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size));
718        return;
719    }
720
721    /* Get the boundary */
722    boundary = strstr(content_type_dup, "boundary");
723    if (!boundary) {
724        int content_type_len = strlen(content_type_dup);
725        char *content_type_lcase = estrndup(content_type_dup, content_type_len);
726
727        php_strtolower(content_type_lcase, content_type_len);
728        boundary = strstr(content_type_lcase, "boundary");
729        if (boundary) {
730            boundary = content_type_dup + (boundary - content_type_lcase);
731        }
732        efree(content_type_lcase);
733    }
734
735    if (!boundary || !(boundary = strchr(boundary, '='))) {
736        sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
737        return;
738    }
739
740    boundary++;
741    boundary_len = strlen(boundary);
742
743    if (boundary[0] == '"') {
744        boundary++;
745        boundary_end = strchr(boundary, '"');
746        if (!boundary_end) {
747            sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
748            return;
749        }
750    } else {
751        /* search for the end of the boundary */
752        boundary_end = strpbrk(boundary, ",;");
753    }
754    if (boundary_end) {
755        boundary_end[0] = '\0';
756        boundary_len = boundary_end-boundary;
757    }
758
759    /* Initialize the buffer */
760    if (!(mbuff = multipart_buffer_new(boundary, boundary_len TSRMLS_CC))) {
761        sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
762        return;
763    }
764
765    /* Initialize $_FILES[] */
766    zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);
767
768    ALLOC_HASHTABLE(uploaded_files);
769    zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
770    SG(rfc1867_uploaded_files) = uploaded_files;
771
772    array_init(&PG(http_globals)[TRACK_VARS_FILES]);
773
774    zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
775
776    if (php_rfc1867_callback != NULL) {
777        multipart_event_start event_start;
778
779        event_start.content_length = SG(request_info).content_length;
780        if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data TSRMLS_CC) == FAILURE) {
781            goto fileupload_done;
782        }
783    }
784
785    while (!multipart_buffer_eof(mbuff TSRMLS_CC))
786    {
787        char buff[FILLUNIT];
788        char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
789        size_t blen = 0, wlen = 0;
790        zend_off_t offset;
791
792        zend_llist_clean(&header);
793
794        if (!multipart_buffer_headers(mbuff, &header TSRMLS_CC)) {
795            goto fileupload_done;
796        }
797
798        if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
799            char *pair = NULL;
800            int end = 0;
801
802            while (isspace(*cd)) {
803                ++cd;
804            }
805
806            while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';' TSRMLS_CC)))
807            {
808                char *key = NULL, *word = pair;
809
810                while (isspace(*cd)) {
811                    ++cd;
812                }
813
814                if (strchr(pair, '=')) {
815                    key = getword(mbuff->input_encoding, &pair, '=' TSRMLS_CC);
816
817                    if (!strcasecmp(key, "name")) {
818                        if (param) {
819                            efree(param);
820                        }
821                        param = getword_conf(mbuff->input_encoding, pair TSRMLS_CC);
822                        if (mbuff->input_encoding && internal_encoding) {
823                            unsigned char *new_param;
824                            size_t new_param_len;
825                            if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding TSRMLS_CC)) {
826                                efree(param);
827                                param = (char *)new_param;
828                            }
829                        }
830                    } else if (!strcasecmp(key, "filename")) {
831                        if (filename) {
832                            efree(filename);
833                        }
834                        filename = getword_conf(mbuff->input_encoding, pair TSRMLS_CC);
835                        if (mbuff->input_encoding && internal_encoding) {
836                            unsigned char *new_filename;
837                            size_t new_filename_len;
838                            if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding TSRMLS_CC)) {
839                                efree(filename);
840                                filename = (char *)new_filename;
841                            }
842                        }
843                    }
844                }
845                if (key) {
846                    efree(key);
847                }
848                efree(word);
849            }
850
851            /* Normal form variable, safe to read all data into memory */
852            if (!filename && param) {
853                size_t value_len;
854                char *value = multipart_buffer_read_body(mbuff, &value_len TSRMLS_CC);
855                size_t new_val_len; /* Dummy variable */
856
857                if (!value) {
858                    value = estrdup("");
859                    value_len = 0;
860                }
861
862                if (mbuff->input_encoding && internal_encoding) {
863                    unsigned char *new_value;
864                    size_t new_value_len;
865                    if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding TSRMLS_CC)) {
866                        efree(value);
867                        value = (char *)new_value;
868                        value_len = new_value_len;
869                    }
870                }
871
872                if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
873                    if (php_rfc1867_callback != NULL) {
874                        multipart_event_formdata event_formdata;
875                        size_t newlength = new_val_len;
876
877                        event_formdata.post_bytes_processed = SG(read_post_bytes);
878                        event_formdata.name = param;
879                        event_formdata.value = &value;
880                        event_formdata.length = new_val_len;
881                        event_formdata.newlength = &newlength;
882                        if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC) == FAILURE) {
883                            efree(param);
884                            efree(value);
885                            continue;
886                        }
887                        new_val_len = newlength;
888                    }
889                    safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC);
890                } else {
891                    if (count == PG(max_input_vars) + 1) {
892                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
893                    }
894
895                    if (php_rfc1867_callback != NULL) {
896                        multipart_event_formdata event_formdata;
897
898                        event_formdata.post_bytes_processed = SG(read_post_bytes);
899                        event_formdata.name = param;
900                        event_formdata.value = &value;
901                        event_formdata.length = value_len;
902                        event_formdata.newlength = NULL;
903                        php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
904                    }
905                }
906
907                if (!strcasecmp(param, "MAX_FILE_SIZE")) {
908#ifdef HAVE_ATOLL
909                    max_file_size = atoll(value);
910#else
911                    max_file_size = strtoll(value, NULL, 10);
912#endif
913                }
914
915                efree(param);
916                efree(value);
917                continue;
918            }
919
920            /* If file_uploads=off, skip the file part */
921            if (!PG(file_uploads)) {
922                skip_upload = 1;
923            } else if (upload_cnt <= 0) {
924                skip_upload = 1;
925                sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
926            }
927
928            /* Return with an error if the posted data is garbled */
929            if (!param && !filename) {
930                sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
931                goto fileupload_done;
932            }
933
934            if (!param) {
935                is_anonymous = 1;
936                param = emalloc(MAX_SIZE_ANONNAME);
937                snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
938            } else {
939                is_anonymous = 0;
940            }
941
942            /* New Rule: never repair potential malicious user input */
943            if (!skip_upload) {
944                long c = 0;
945                tmp = param;
946
947                while (*tmp) {
948                    if (*tmp == '[') {
949                        c++;
950                    } else if (*tmp == ']') {
951                        c--;
952                        if (tmp[1] && tmp[1] != '[') {
953                            skip_upload = 1;
954                            break;
955                        }
956                    }
957                    if (c < 0) {
958                        skip_upload = 1;
959                        break;
960                    }
961                    tmp++;
962                }
963                /* Brackets should always be closed */
964                if(c != 0) {
965                    skip_upload = 1;
966                }
967            }
968
969            total_bytes = cancel_upload = 0;
970            temp_filename = NULL;
971            fd = -1;
972
973            if (!skip_upload && php_rfc1867_callback != NULL) {
974                multipart_event_file_start event_file_start;
975
976                event_file_start.post_bytes_processed = SG(read_post_bytes);
977                event_file_start.name = param;
978                event_file_start.filename = &filename;
979                if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data TSRMLS_CC) == FAILURE) {
980                    temp_filename = "";
981                    efree(param);
982                    efree(filename);
983                    continue;
984                }
985            }
986
987            if (skip_upload) {
988                efree(param);
989                efree(filename);
990                continue;
991            }
992
993            if (filename[0] == '\0') {
994#if DEBUG_FILE_UPLOAD
995                sapi_module.sapi_error(E_NOTICE, "No file uploaded");
996#endif
997                cancel_upload = UPLOAD_ERROR_D;
998            }
999
1000            offset = 0;
1001            end = 0;
1002
1003            if (!cancel_upload) {
1004                /* only bother to open temp file if we have data */
1005                blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
1006#if DEBUG_FILE_UPLOAD
1007                if (blen > 0) {
1008#else
1009                /* in non-debug mode we have no problem with 0-length files */
1010                {
1011#endif
1012                    fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
1013                    upload_cnt--;
1014                    if (fd == -1) {
1015                        sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1016                        cancel_upload = UPLOAD_ERROR_E;
1017                    }
1018                }
1019            }
1020
1021            while (!cancel_upload && (blen > 0))
1022            {
1023                if (php_rfc1867_callback != NULL) {
1024                    multipart_event_file_data event_file_data;
1025
1026                    event_file_data.post_bytes_processed = SG(read_post_bytes);
1027                    event_file_data.offset = offset;
1028                    event_file_data.data = buff;
1029                    event_file_data.length = blen;
1030                    event_file_data.newlength = &blen;
1031                    if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data TSRMLS_CC) == FAILURE) {
1032                        cancel_upload = UPLOAD_ERROR_X;
1033                        continue;
1034                    }
1035                }
1036
1037                if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) {
1038#if DEBUG_FILE_UPLOAD
1039                    sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1040#endif
1041                    cancel_upload = UPLOAD_ERROR_A;
1042                } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
1043#if DEBUG_FILE_UPLOAD
1044                    sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1045#endif
1046                    cancel_upload = UPLOAD_ERROR_B;
1047                } else if (blen > 0) {
1048                    wlen = write(fd, buff, blen);
1049
1050                    if (wlen == -1) {
1051                        /* write failed */
1052#if DEBUG_FILE_UPLOAD
1053                        sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1054#endif
1055                        cancel_upload = UPLOAD_ERROR_F;
1056                    } else if (wlen < blen) {
1057#if DEBUG_FILE_UPLOAD
1058                        sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
1059#endif
1060                        cancel_upload = UPLOAD_ERROR_F;
1061                    } else {
1062                        total_bytes += wlen;
1063                    }
1064                    offset += wlen;
1065                }
1066
1067                /* read data for next iteration */
1068                blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC);
1069            }
1070
1071            if (fd != -1) { /* may not be initialized if file could not be created */
1072                close(fd);
1073            }
1074
1075            if (!cancel_upload && !end) {
1076#if DEBUG_FILE_UPLOAD
1077                sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1078#endif
1079                cancel_upload = UPLOAD_ERROR_C;
1080            }
1081#if DEBUG_FILE_UPLOAD
1082            if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1083                sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1084                cancel_upload = 5;
1085            }
1086#endif
1087            if (php_rfc1867_callback != NULL) {
1088                multipart_event_file_end event_file_end;
1089
1090                event_file_end.post_bytes_processed = SG(read_post_bytes);
1091                event_file_end.temp_filename = temp_filename;
1092                event_file_end.cancel_upload = cancel_upload;
1093                if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data TSRMLS_CC) == FAILURE) {
1094                    cancel_upload = UPLOAD_ERROR_X;
1095                }
1096            }
1097
1098            if (cancel_upload) {
1099                if (temp_filename) {
1100                    if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
1101                        unlink(temp_filename);
1102                    }
1103                    efree(temp_filename);
1104                }
1105                temp_filename = "";
1106            } else {
1107                zend_hash_str_add_ptr(SG(rfc1867_uploaded_files), temp_filename, strlen(temp_filename), temp_filename);
1108            }
1109
1110            /* is_arr_upload is true when name of file upload field
1111             * ends in [.*]
1112             * start_arr is set to point to 1st [ */
1113            is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1114
1115            if (is_arr_upload) {
1116                array_len = strlen(start_arr);
1117                if (array_index) {
1118                    efree(array_index);
1119                }
1120                array_index = estrndup(start_arr + 1, array_len - 2);
1121            }
1122
1123            /* Add $foo_name */
1124            if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1125                llen = strlen(param);
1126                lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1127                llen += MAX_SIZE_OF_INDEX + 1;
1128            }
1129
1130            if (is_arr_upload) {
1131                if (abuf) efree(abuf);
1132                abuf = estrndup(param, strlen(param)-array_len);
1133                snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1134            } else {
1135                snprintf(lbuf, llen, "%s_name", param);
1136            }
1137
1138            /* The \ check should technically be needed for win32 systems only where
1139             * it is a valid path separator. However, IE in all it's wisdom always sends
1140             * the full path of the file on the user's filesystem, which means that unless
1141             * the user does basename() they get a bogus file name. Until IE's user base drops
1142             * to nill or problem is fixed this code must remain enabled for all systems. */
1143            s = _basename(internal_encoding, filename TSRMLS_CC);
1144            if (!s) {
1145                s = filename;
1146            }
1147
1148            if (!is_anonymous) {
1149                safe_php_register_variable(lbuf, s, strlen(s), NULL, 0 TSRMLS_CC);
1150            }
1151
1152            /* Add $foo[name] */
1153            if (is_arr_upload) {
1154                snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1155            } else {
1156                snprintf(lbuf, llen, "%s[name]", param);
1157            }
1158            register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0 TSRMLS_CC);
1159            efree(filename);
1160            s = NULL;
1161
1162            /* Possible Content-Type: */
1163            if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1164                cd = "";
1165            } else {
1166                /* fix for Opera 6.01 */
1167                s = strchr(cd, ';');
1168                if (s != NULL) {
1169                    *s = '\0';
1170                }
1171            }
1172
1173            /* Add $foo_type */
1174            if (is_arr_upload) {
1175                snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index);
1176            } else {
1177                snprintf(lbuf, llen, "%s_type", param);
1178            }
1179            if (!is_anonymous) {
1180                safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0 TSRMLS_CC);
1181            }
1182
1183            /* Add $foo[type] */
1184            if (is_arr_upload) {
1185                snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1186            } else {
1187                snprintf(lbuf, llen, "%s[type]", param);
1188            }
1189            register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0 TSRMLS_CC);
1190
1191            /* Restore Content-Type Header */
1192            if (s != NULL) {
1193                *s = ';';
1194            }
1195            s = "";
1196
1197            {
1198                /* store temp_filename as-is (in case upload_tmp_dir
1199                 * contains escapeable characters. escape only the variable name.) */
1200                zval zfilename;
1201
1202                /* Initialize variables */
1203                add_protected_variable(param TSRMLS_CC);
1204
1205                /* if param is of form xxx[.*] this will cut it to xxx */
1206                if (!is_anonymous) {
1207                    ZVAL_STRING(&zfilename, temp_filename);
1208                    safe_php_register_variable_ex(param, &zfilename, NULL, 1 TSRMLS_CC);
1209                }
1210
1211                /* Add $foo[tmp_name] */
1212                if (is_arr_upload) {
1213                    snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1214                } else {
1215                    snprintf(lbuf, llen, "%s[tmp_name]", param);
1216                }
1217                add_protected_variable(lbuf TSRMLS_CC);
1218                ZVAL_STRING(&zfilename, temp_filename);
1219                register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1 TSRMLS_CC);
1220            }
1221
1222            {
1223                zval file_size, error_type;
1224                int size_overflow = 0;
1225                char file_size_buf[65];
1226
1227                ZVAL_LONG(&error_type, cancel_upload);
1228
1229                /* Add $foo[error] */
1230                if (cancel_upload) {
1231                    ZVAL_LONG(&file_size, 0);
1232                } else {
1233                    if (total_bytes > ZEND_LONG_MAX) {
1234#ifdef PHP_WIN32
1235                        if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1236                            file_size_buf[0] = '0';
1237                            file_size_buf[1] = '\0';
1238                        }
1239#else
1240                        {
1241                            int __len = snprintf(file_size_buf, 65, "%lld", total_bytes);
1242                            file_size_buf[__len] = '\0';
1243                        }
1244#endif
1245                        size_overflow = 1;
1246
1247                    } else {
1248                        ZVAL_LONG(&file_size, total_bytes);
1249                    }
1250                }
1251
1252                if (is_arr_upload) {
1253                    snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1254                } else {
1255                    snprintf(lbuf, llen, "%s[error]", param);
1256                }
1257                register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0 TSRMLS_CC);
1258
1259                /* Add $foo_size */
1260                if (is_arr_upload) {
1261                    snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index);
1262                } else {
1263                    snprintf(lbuf, llen, "%s_size", param);
1264                }
1265                if (!is_anonymous) {
1266                    if (size_overflow) {
1267                        ZVAL_STRING(&file_size, file_size_buf);
1268                    }
1269                    safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow TSRMLS_CC);
1270                }
1271
1272                /* Add $foo[size] */
1273                if (is_arr_upload) {
1274                    snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1275                } else {
1276                    snprintf(lbuf, llen, "%s[size]", param);
1277                }
1278                if (size_overflow) {
1279                    ZVAL_STRING(&file_size, file_size_buf);
1280                }
1281                register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow TSRMLS_CC);
1282            }
1283            efree(param);
1284        }
1285    }
1286
1287fileupload_done:
1288    if (php_rfc1867_callback != NULL) {
1289        multipart_event_end event_end;
1290
1291        event_end.post_bytes_processed = SG(read_post_bytes);
1292        php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data TSRMLS_CC);
1293    }
1294
1295    if (lbuf) efree(lbuf);
1296    if (abuf) efree(abuf);
1297    if (array_index) efree(array_index);
1298    zend_hash_destroy(&PG(rfc1867_protected_variables));
1299    zend_llist_destroy(&header);
1300    if (mbuff->boundary_next) efree(mbuff->boundary_next);
1301    if (mbuff->boundary) efree(mbuff->boundary);
1302    if (mbuff->buffer) efree(mbuff->buffer);
1303    if (mbuff) efree(mbuff);
1304}
1305/* }}} */
1306
1307SAPI_API void php_rfc1867_set_multibyte_callbacks(
1308                    php_rfc1867_encoding_translation_t encoding_translation,
1309                    php_rfc1867_get_detect_order_t get_detect_order,
1310                    php_rfc1867_set_input_encoding_t set_input_encoding,
1311                    php_rfc1867_getword_t getword,
1312                    php_rfc1867_getword_conf_t getword_conf,
1313                    php_rfc1867_basename_t basename) /* {{{ */
1314{
1315    php_rfc1867_encoding_translation = encoding_translation;
1316    php_rfc1867_get_detect_order = get_detect_order;
1317    php_rfc1867_set_input_encoding = set_input_encoding;
1318    php_rfc1867_getword = getword;
1319    php_rfc1867_getword_conf = getword_conf;
1320    php_rfc1867_basename = basename;
1321}
1322/* }}} */
1323
1324/*
1325 * Local variables:
1326 * tab-width: 4
1327 * c-basic-offset: 4
1328 * End:
1329 * vim600: sw=4 ts=4 fdm=marker
1330 * vim<600: sw=4 ts=4
1331 */
1332