Coverage Report

Created: 2025-06-13 06:43

/src/php-src/main/rfc1867.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright (c) The PHP Group                                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to version 3.01 of the PHP license,      |
6
   | that is bundled with this package in the file LICENSE, and is        |
7
   | available through the world-wide-web at the following url:           |
8
   | https://www.php.net/license/3_01.txt                                 |
9
   | If you did not receive a copy of the PHP license and are unable to   |
10
   | obtain it through the world-wide-web, please send a note to          |
11
   | license@php.net so we can mail you a copy immediately.               |
12
   +----------------------------------------------------------------------+
13
   | Authors: Rasmus Lerdorf <rasmus@php.net>                             |
14
   |          Jani Taskinen <jani@php.net>                                |
15
   +----------------------------------------------------------------------+
16
 */
17
18
/*
19
 *  This product includes software developed by the Apache Group
20
 *  for use in the Apache HTTP server project (http://www.apache.org/).
21
 *
22
 */
23
24
#include <stdio.h>
25
#include "php.h"
26
#include "php_open_temporary_file.h"
27
#include "zend_globals.h"
28
#include "php_globals.h"
29
#include "php_variables.h"
30
#include "rfc1867.h"
31
#include "zend_smart_string.h"
32
#include "zend_exceptions.h"
33
34
#ifndef DEBUG_FILE_UPLOAD
35
# define DEBUG_FILE_UPLOAD 0
36
#endif
37
38
static int dummy_encoding_translation(void)
39
0
{
40
0
  return 0;
41
0
}
42
43
static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop);
44
static char *php_ap_getword_conf(const zend_encoding *encoding, char *str);
45
46
static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
47
static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
48
static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
49
static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
50
static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
51
static php_rfc1867_basename_t php_rfc1867_basename = NULL;
52
53
PHPAPI zend_result (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
54
55
static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, bool override_protection);
56
57
/* The longest property name we use in an uploaded file array */
58
0
#define MAX_SIZE_OF_INDEX sizeof("[full_path]")
59
60
/* The longest anonymous name */
61
0
#define MAX_SIZE_ANONNAME 33
62
63
static void normalize_protected_variable(char *varname) /* {{{ */
64
0
{
65
0
  char *s = varname, *index = NULL, *indexend = NULL, *p;
66
67
  /* skip leading space */
68
0
  while (*s == ' ') {
69
0
    s++;
70
0
  }
71
72
  /* and remove it */
73
0
  if (s != varname) {
74
0
    memmove(varname, s, strlen(s)+1);
75
0
  }
76
77
0
  for (p = varname; *p && *p != '['; p++) {
78
0
    switch(*p) {
79
0
      case ' ':
80
0
      case '.':
81
0
        *p = '_';
82
0
        break;
83
0
    }
84
0
  }
85
86
  /* find index */
87
0
  index = strchr(varname, '[');
88
0
  if (index) {
89
0
    index++;
90
0
    s = index;
91
0
  } else {
92
0
    return;
93
0
  }
94
95
  /* done? */
96
0
  while (index) {
97
0
    while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
98
0
      index++;
99
0
    }
100
0
    indexend = strchr(index, ']');
101
0
    indexend = indexend ? indexend + 1 : index + strlen(index);
102
103
0
    if (s != index) {
104
0
      memmove(s, index, strlen(index)+1);
105
0
      s += indexend-index;
106
0
    } else {
107
0
      s = indexend;
108
0
    }
109
110
0
    if (*s == '[') {
111
0
      s++;
112
0
      index = s;
113
0
    } else {
114
0
      index = NULL;
115
0
    }
116
0
  }
117
0
  *s = '\0';
118
0
}
119
/* }}} */
120
121
static void add_protected_variable(char *varname) /* {{{ */
122
0
{
123
0
  normalize_protected_variable(varname);
124
0
  zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname));
125
0
}
126
/* }}} */
127
128
static bool is_protected_variable(char *varname) /* {{{ */
129
0
{
130
0
  normalize_protected_variable(varname);
131
0
  return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname));
132
0
}
133
/* }}} */
134
135
static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, bool override_protection) /* {{{ */
136
0
{
137
0
  if (override_protection || !is_protected_variable(var)) {
138
0
    php_register_variable_safe(var, strval, val_len, track_vars_array);
139
0
  }
140
0
}
141
/* }}} */
142
143
static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, bool override_protection) /* {{{ */
144
0
{
145
0
  if (override_protection || !is_protected_variable(var)) {
146
0
    php_register_variable_ex(var, val, track_vars_array);
147
0
  }
148
0
}
149
/* }}} */
150
151
static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, bool override_protection) /* {{{ */
152
0
{
153
0
  safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection);
154
0
}
155
/* }}} */
156
157
static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, bool override_protection) /* {{{ */
158
0
{
159
0
  safe_php_register_variable_ex(var, val, http_post_files, override_protection);
160
0
}
161
/* }}} */
162
163
0
static void free_filename(zval *el) {
164
0
  zend_string *filename = Z_STR_P(el);
165
0
  zend_string_release_ex(filename, 0);
166
0
}
167
168
PHPAPI void destroy_uploaded_files_hash(void) /* {{{ */
169
0
{
170
0
  zval *el;
171
172
0
  ZEND_HASH_MAP_FOREACH_VAL(SG(rfc1867_uploaded_files), el) {
173
0
    zend_string *filename = Z_STR_P(el);
174
0
    VCWD_UNLINK(ZSTR_VAL(filename));
175
0
  } ZEND_HASH_FOREACH_END();
176
0
  zend_hash_destroy(SG(rfc1867_uploaded_files));
177
0
  FREE_HASHTABLE(SG(rfc1867_uploaded_files));
178
0
  SG(rfc1867_uploaded_files) = NULL;
179
0
}
180
/* }}} */
181
182
/* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
183
184
0
#define FILLUNIT (1024 * 5)
185
186
typedef struct {
187
188
  /* read buffer */
189
  char *buffer;
190
  char *buf_begin;
191
  int  bufsize;
192
  int  bytes_in_buffer;
193
194
  /* boundary info */
195
  char *boundary;
196
  char *boundary_next;
197
  int  boundary_next_len;
198
199
  const zend_encoding *input_encoding;
200
  const zend_encoding **detect_order;
201
  size_t detect_order_size;
202
} multipart_buffer;
203
204
typedef struct {
205
  char *key;
206
  char *value;
207
} mime_header_entry;
208
209
/*
210
 * Fill up the buffer with client data.
211
 * Returns number of bytes added to buffer.
212
 */
213
static int fill_buffer(multipart_buffer *self)
214
0
{
215
0
  int bytes_to_read, total_read = 0, actual_read = 0;
216
217
  /* shift the existing data if necessary */
218
0
  if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
219
0
    memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
220
0
  }
221
222
0
  self->buf_begin = self->buffer;
223
224
  /* calculate the free space in the buffer */
225
0
  bytes_to_read = self->bufsize - self->bytes_in_buffer;
226
227
  /* read the required number of bytes */
228
0
  while (bytes_to_read > 0) {
229
230
0
    char *buf = self->buffer + self->bytes_in_buffer;
231
232
0
    actual_read = (int)sapi_module.read_post(buf, bytes_to_read);
233
234
    /* update the buffer length */
235
0
    if (actual_read > 0) {
236
0
      self->bytes_in_buffer += actual_read;
237
0
      SG(read_post_bytes) += actual_read;
238
0
      total_read += actual_read;
239
0
      bytes_to_read -= actual_read;
240
0
    } else {
241
0
      break;
242
0
    }
243
0
  }
244
245
0
  return total_read;
246
0
}
247
248
/* eof if we are out of bytes, or if we hit the final boundary */
249
static int multipart_buffer_eof(multipart_buffer *self)
250
0
{
251
0
  return self->bytes_in_buffer == 0 && fill_buffer(self) < 1;
252
0
}
253
254
/* create new multipart_buffer structure */
255
static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len)
256
0
{
257
0
  multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
258
259
0
  int minsize = boundary_len + 6;
260
0
  if (minsize < FILLUNIT) minsize = FILLUNIT;
261
262
0
  self->buffer = (char *) ecalloc(1, minsize + 1);
263
0
  self->bufsize = minsize;
264
265
0
  spprintf(&self->boundary, 0, "--%s", boundary);
266
267
0
  self->boundary_next_len = (int)spprintf(&self->boundary_next, 0, "\n--%s", boundary);
268
269
0
  self->buf_begin = self->buffer;
270
0
  self->bytes_in_buffer = 0;
271
272
0
  if (php_rfc1867_encoding_translation()) {
273
0
    php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size);
274
0
  } else {
275
0
    self->detect_order = NULL;
276
0
    self->detect_order_size = 0;
277
0
  }
278
279
0
  self->input_encoding = NULL;
280
281
0
  return self;
282
0
}
283
284
/*
285
 * Gets the next CRLF terminated line from the input buffer.
286
 * If it doesn't find a CRLF, and the buffer isn't completely full, returns
287
 * NULL; otherwise, returns the beginning of the null-terminated line,
288
 * minus the CRLF.
289
 *
290
 * Note that we really just look for LF terminated lines. This works
291
 * around a bug in internet explorer for the macintosh which sends mime
292
 * boundaries that are only LF terminated when you use an image submit
293
 * button in a multipart/form-data form.
294
 */
295
static char *next_line(multipart_buffer *self)
296
0
{
297
  /* look for LF in the data */
298
0
  char* line = self->buf_begin;
299
0
  char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
300
301
0
  if (ptr) { /* LF found */
302
303
    /* terminate the string, remove CRLF */
304
0
    if ((ptr - line) > 0 && *(ptr-1) == '\r') {
305
0
      *(ptr-1) = 0;
306
0
    } else {
307
0
      *ptr = 0;
308
0
    }
309
310
    /* bump the pointer */
311
0
    self->buf_begin = ptr + 1;
312
0
    self->bytes_in_buffer -= (self->buf_begin - line);
313
314
0
  } else { /* no LF found */
315
316
    /* buffer isn't completely full, fail */
317
0
    if (self->bytes_in_buffer < self->bufsize) {
318
0
      return NULL;
319
0
    }
320
    /* return entire buffer as a partial line */
321
0
    line[self->bufsize] = 0;
322
0
    self->bytes_in_buffer = 0;
323
    /* Let fill_buffer() handle the reset of self->buf_begin */
324
0
  }
325
326
0
  return line;
327
0
}
328
329
/* Returns the next CRLF terminated line from the client */
330
static char *get_line(multipart_buffer *self)
331
0
{
332
0
  char* ptr = next_line(self);
333
334
0
  if (!ptr) {
335
0
    fill_buffer(self);
336
0
    ptr = next_line(self);
337
0
  }
338
339
0
  return ptr;
340
0
}
341
342
/* Free header entry */
343
static void php_free_hdr_entry(mime_header_entry *h)
344
0
{
345
0
  if (h->key) {
346
0
    efree(h->key);
347
0
  }
348
0
  if (h->value) {
349
0
    efree(h->value);
350
0
  }
351
0
}
352
353
/* finds a boundary */
354
static int find_boundary(multipart_buffer *self, char *boundary)
355
0
{
356
0
  char *line;
357
358
  /* loop through lines */
359
0
  while( (line = get_line(self)) )
360
0
  {
361
    /* finished if we found the boundary */
362
0
    if (!strcmp(line, boundary)) {
363
0
      return 1;
364
0
    }
365
0
  }
366
367
  /* didn't find the boundary */
368
0
  return 0;
369
0
}
370
371
/* parse headers */
372
static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
373
0
{
374
0
  char *line;
375
0
  mime_header_entry entry = {0};
376
0
  smart_string buf_value = {0};
377
0
  char *key = NULL;
378
379
  /* didn't find boundary, abort */
380
0
  if (!find_boundary(self, self->boundary)) {
381
0
    return 0;
382
0
  }
383
384
  /* get lines of text, or CRLF_CRLF */
385
386
0
  while ((line = get_line(self)) && line[0] != '\0') {
387
    /* add header to table */
388
0
    char *value = NULL;
389
390
0
    if (php_rfc1867_encoding_translation()) {
391
0
      self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);
392
0
    }
393
394
    /* space in the beginning means same header */
395
0
    if (!isspace(line[0])) {
396
0
      value = strchr(line, ':');
397
0
    }
398
399
0
    if (value) {
400
0
      if (buf_value.c && key) {
401
        /* new entry, add the old one to the list */
402
0
        smart_string_0(&buf_value);
403
0
        entry.key = key;
404
0
        entry.value = buf_value.c;
405
0
        zend_llist_add_element(header, &entry);
406
0
        buf_value.c = NULL;
407
0
        key = NULL;
408
0
      }
409
410
0
      *value = '\0';
411
0
      do { value++; } while (isspace(*value));
412
413
0
      key = estrdup(line);
414
0
      smart_string_appends(&buf_value, value);
415
0
    } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
416
0
      smart_string_appends(&buf_value, line);
417
0
    } else {
418
0
      continue;
419
0
    }
420
0
  }
421
422
0
  if (buf_value.c && key) {
423
    /* add the last one to the list */
424
0
    smart_string_0(&buf_value);
425
0
    entry.key = key;
426
0
    entry.value = buf_value.c;
427
0
    zend_llist_add_element(header, &entry);
428
0
  }
429
430
0
  return 1;
431
0
}
432
433
static char *php_mime_get_hdr_value(zend_llist header, char *key)
434
0
{
435
0
  mime_header_entry *entry;
436
437
0
  if (key == NULL) {
438
0
    return NULL;
439
0
  }
440
441
0
  entry = zend_llist_get_first(&header);
442
0
  while (entry) {
443
0
    if (!strcasecmp(entry->key, key)) {
444
0
      return entry->value;
445
0
    }
446
0
    entry = zend_llist_get_next(&header);
447
0
  }
448
449
0
  return NULL;
450
0
}
451
452
static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop)
453
0
{
454
0
  char *pos = *line, quote;
455
0
  char *res;
456
457
0
  while (*pos && *pos != stop) {
458
0
    if ((quote = *pos) == '"' || quote == '\'') {
459
0
      ++pos;
460
0
      while (*pos && *pos != quote) {
461
0
        if (*pos == '\\' && pos[1] && pos[1] == quote) {
462
0
          pos += 2;
463
0
        } else {
464
0
          ++pos;
465
0
        }
466
0
      }
467
0
      if (*pos) {
468
0
        ++pos;
469
0
      }
470
0
    } else ++pos;
471
0
  }
472
0
  if (*pos == '\0') {
473
0
    res = estrdup(*line);
474
0
    *line += strlen(*line);
475
0
    return res;
476
0
  }
477
478
0
  res = estrndup(*line, pos - *line);
479
480
0
  while (*pos == stop) {
481
0
    ++pos;
482
0
  }
483
484
0
  *line = pos;
485
0
  return res;
486
0
}
487
488
static char *substring_conf(char *start, int len, char quote)
489
0
{
490
0
  char *result = emalloc(len + 1);
491
0
  char *resp = result;
492
0
  int i;
493
494
0
  for (i = 0; i < len && start[i] != quote; ++i) {
495
0
    if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
496
0
      *resp++ = start[++i];
497
0
    } else {
498
0
      *resp++ = start[i];
499
0
    }
500
0
  }
501
502
0
  *resp = '\0';
503
0
  return result;
504
0
}
505
506
static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
507
0
{
508
0
  while (*str && isspace(*str)) {
509
0
    ++str;
510
0
  }
511
512
0
  if (!*str) {
513
0
    return estrdup("");
514
0
  }
515
516
0
  if (*str == '"' || *str == '\'') {
517
0
    char quote = *str;
518
519
0
    str++;
520
0
    return substring_conf(str, (int)strlen(str), quote);
521
0
  } else {
522
0
    char *strend = str;
523
524
0
    while (*strend && !isspace(*strend)) {
525
0
      ++strend;
526
0
    }
527
0
    return substring_conf(str, strend - str, 0);
528
0
  }
529
0
}
530
531
static char *php_ap_basename(const zend_encoding *encoding, char *path)
532
0
{
533
0
  char *s = strrchr(path, '\\');
534
0
  char *s2 = strrchr(path, '/');
535
536
0
  if (s && s2) {
537
0
    if (s > s2) {
538
0
      ++s;
539
0
    } else {
540
0
      s = ++s2;
541
0
    }
542
0
    return s;
543
0
  } else if (s) {
544
0
    return ++s;
545
0
  } else if (s2) {
546
0
    return ++s2;
547
0
  }
548
0
  return path;
549
0
}
550
551
/*
552
 * Search for a string in a fixed-length byte string.
553
 * If partial is true, partial matches are allowed at the end of the buffer.
554
 * Returns NULL if not found, or a pointer to the start of the first match.
555
 */
556
static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
557
0
{
558
0
  int len = haystacklen;
559
0
  char *ptr = haystack;
560
561
  /* iterate through first character matches */
562
0
  while( (ptr = memchr(ptr, needle[0], len)) ) {
563
564
    /* calculate length after match */
565
0
    len = haystacklen - (ptr - (char *)haystack);
566
567
    /* done if matches up to capacity of buffer */
568
0
    if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
569
0
      break;
570
0
    }
571
572
    /* next character */
573
0
    ptr++; len--;
574
0
  }
575
576
0
  return ptr;
577
0
}
578
579
/* read until a boundary condition */
580
static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
581
0
{
582
0
  size_t len, max;
583
0
  char *bound;
584
585
  /* fill buffer if needed */
586
0
  if (bytes > (size_t)self->bytes_in_buffer) {
587
0
    fill_buffer(self);
588
0
  }
589
590
  /* look for a potential boundary match, only read data up to that point */
591
0
  if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
592
0
    max = bound - self->buf_begin;
593
0
    if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
594
0
      *end = 1;
595
0
    }
596
0
  } else {
597
0
    max = self->bytes_in_buffer;
598
0
  }
599
600
  /* maximum number of bytes we are reading */
601
0
  len = max < bytes-1 ? max : bytes-1;
602
603
  /* if we read any data... */
604
0
  if (len > 0) {
605
606
    /* copy the data */
607
0
    memcpy(buf, self->buf_begin, len);
608
0
    buf[len] = 0;
609
610
0
    if (bound && len > 0 && buf[len-1] == '\r') {
611
0
      buf[--len] = 0;
612
0
    }
613
614
    /* update the buffer */
615
0
    self->bytes_in_buffer -= (int)len;
616
0
    self->buf_begin += len;
617
0
  }
618
619
0
  return len;
620
0
}
621
622
/*
623
  XXX: this is horrible memory-usage-wise, but we only expect
624
  to do this on small pieces of form data.
625
*/
626
static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
627
0
{
628
0
  char buf[FILLUNIT], *out=NULL;
629
0
  size_t total_bytes=0, read_bytes=0;
630
631
0
  while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
632
0
    out = erealloc(out, total_bytes + read_bytes + 1);
633
0
    memcpy(out + total_bytes, buf, read_bytes);
634
0
    total_bytes += read_bytes;
635
0
  }
636
637
0
  if (out) {
638
0
    out[total_bytes] = '\0';
639
0
  }
640
0
  *len = total_bytes;
641
642
0
  return out;
643
0
}
644
/* }}} */
645
646
/*
647
 * The combined READER/HANDLER
648
 *
649
 */
650
651
SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
652
0
{
653
0
  char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
654
0
  char *lbuf = NULL, *abuf = NULL;
655
0
  zend_string *temp_filename = NULL;
656
0
  int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
657
0
  size_t array_len = 0;
658
0
  int64_t total_bytes = 0, max_file_size = 0;
659
0
  int skip_upload = 0, anonymous_index = 0;
660
0
  HashTable *uploaded_files = NULL;
661
0
  multipart_buffer *mbuff;
662
0
  zval *array_ptr = (zval *) arg;
663
0
  bool throw_exceptions = SG(request_parse_body_context).throw_exceptions;
664
0
  int fd = -1;
665
0
  zend_llist header;
666
0
  void *event_extra_data = NULL;
667
0
  unsigned int llen = 0;
668
0
  zend_long upload_cnt = REQUEST_PARSE_BODY_OPTION_GET(max_file_uploads, INI_INT("max_file_uploads"));
669
0
  zend_long body_parts_cnt = REQUEST_PARSE_BODY_OPTION_GET(max_multipart_body_parts, INI_INT("max_multipart_body_parts"));
670
0
  zend_long post_max_size = REQUEST_PARSE_BODY_OPTION_GET(post_max_size, SG(post_max_size));
671
0
  zend_long max_input_vars = REQUEST_PARSE_BODY_OPTION_GET(max_input_vars, PG(max_input_vars));
672
0
  zend_long upload_max_filesize = REQUEST_PARSE_BODY_OPTION_GET(upload_max_filesize, PG(upload_max_filesize));
673
0
  const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
674
0
  php_rfc1867_getword_t getword;
675
0
  php_rfc1867_getword_conf_t getword_conf;
676
0
  php_rfc1867_basename_t _basename;
677
0
  zend_long count = 0;
678
679
0
#define EMIT_WARNING_OR_ERROR(...) do { \
680
0
    if (throw_exceptions) { \
681
0
      zend_throw_exception_ex(zend_ce_request_parse_body_exception, 0, __VA_ARGS__); \
682
0
    } else { \
683
0
      php_error_docref(NULL, E_WARNING, __VA_ARGS__); \
684
0
    } \
685
0
  } while (0)
686
687
0
  if (php_rfc1867_encoding_translation() && internal_encoding) {
688
0
    getword = php_rfc1867_getword;
689
0
    getword_conf = php_rfc1867_getword_conf;
690
0
    _basename = php_rfc1867_basename;
691
0
  } else {
692
0
    getword = php_ap_getword;
693
0
    getword_conf = php_ap_getword_conf;
694
0
    _basename = php_ap_basename;
695
0
  }
696
697
0
  if (post_max_size > 0 && SG(request_info).content_length > post_max_size) {
698
0
    EMIT_WARNING_OR_ERROR("POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, post_max_size);
699
0
    return;
700
0
  }
701
702
0
  if (body_parts_cnt < 0) {
703
0
    body_parts_cnt = max_input_vars + upload_cnt;
704
0
  }
705
0
  int body_parts_limit = body_parts_cnt;
706
707
  /* Get the boundary */
708
0
  boundary = strstr(content_type_dup, "boundary");
709
0
  if (!boundary) {
710
0
    int content_type_len = (int)strlen(content_type_dup);
711
0
    char *content_type_lcase = estrndup(content_type_dup, content_type_len);
712
713
0
    zend_str_tolower(content_type_lcase, content_type_len);
714
0
    boundary = strstr(content_type_lcase, "boundary");
715
0
    if (boundary) {
716
0
      boundary = content_type_dup + (boundary - content_type_lcase);
717
0
    }
718
0
    efree(content_type_lcase);
719
0
  }
720
721
0
  if (!boundary || !(boundary = strchr(boundary, '='))) {
722
0
    EMIT_WARNING_OR_ERROR("Missing boundary in multipart/form-data POST data");
723
0
    return;
724
0
  }
725
726
0
  boundary++;
727
0
  boundary_len = (int)strlen(boundary);
728
729
0
  if (boundary[0] == '"') {
730
0
    boundary++;
731
0
    boundary_end = strchr(boundary, '"');
732
0
    if (!boundary_end) {
733
0
      EMIT_WARNING_OR_ERROR("Invalid boundary in multipart/form-data POST data");
734
0
      return;
735
0
    }
736
0
  } else {
737
    /* search for the end of the boundary */
738
0
    boundary_end = strpbrk(boundary, ",;");
739
0
  }
740
0
  if (boundary_end) {
741
0
    boundary_end[0] = '\0';
742
0
    boundary_len = boundary_end-boundary;
743
0
  }
744
745
  /* Boundaries larger than FILLUNIT-strlen("\r\n--") characters lead to
746
   * erroneous parsing */
747
0
  if (boundary_len > FILLUNIT-strlen("\r\n--")) {
748
0
    sapi_module.sapi_error(E_WARNING, "Boundary too large in multipart/form-data POST data");
749
0
    return;
750
0
  }
751
752
  /* Initialize the buffer */
753
0
  mbuff = multipart_buffer_new(boundary, boundary_len);
754
755
  /* Initialize $_FILES[] */
756
0
  zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);
757
758
0
  ALLOC_HASHTABLE(uploaded_files);
759
0
  zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
760
0
  SG(rfc1867_uploaded_files) = uploaded_files;
761
762
0
  if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) {
763
    /* php_auto_globals_create_files() might have already done that */
764
0
    array_init(&PG(http_globals)[TRACK_VARS_FILES]);
765
0
  }
766
767
0
  zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
768
769
0
  if (php_rfc1867_callback != NULL) {
770
0
    multipart_event_start event_start;
771
772
0
    event_start.content_length = SG(request_info).content_length;
773
0
    if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) {
774
0
      goto fileupload_done;
775
0
    }
776
0
  }
777
778
0
  while (!multipart_buffer_eof(mbuff))
779
0
  {
780
0
    char buff[FILLUNIT];
781
0
    char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
782
0
    size_t blen = 0, wlen = 0;
783
0
    zend_off_t offset;
784
785
0
    zend_llist_clean(&header);
786
787
0
    if (!multipart_buffer_headers(mbuff, &header)) {
788
0
      goto fileupload_done;
789
0
    }
790
791
0
    if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
792
0
      char *pair = NULL;
793
0
      int end = 0;
794
795
0
      if (--body_parts_cnt < 0) {
796
0
        EMIT_WARNING_OR_ERROR("Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
797
0
        goto fileupload_done;
798
0
      }
799
800
0
      while (isspace(*cd)) {
801
0
        ++cd;
802
0
      }
803
804
0
      while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';')))
805
0
      {
806
0
        char *key = NULL, *word = pair;
807
808
0
        while (isspace(*cd)) {
809
0
          ++cd;
810
0
        }
811
812
0
        if (strchr(pair, '=')) {
813
0
          key = getword(mbuff->input_encoding, &pair, '=');
814
815
0
          if (!strcasecmp(key, "name")) {
816
0
            if (param) {
817
0
              efree(param);
818
0
            }
819
0
            param = getword_conf(mbuff->input_encoding, pair);
820
0
            if (mbuff->input_encoding && internal_encoding) {
821
0
              unsigned char *new_param;
822
0
              size_t new_param_len;
823
0
              if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) {
824
0
                efree(param);
825
0
                param = (char *)new_param;
826
0
              }
827
0
            }
828
0
          } else if (!strcasecmp(key, "filename")) {
829
0
            if (filename) {
830
0
              efree(filename);
831
0
            }
832
0
            filename = getword_conf(mbuff->input_encoding, pair);
833
0
            if (mbuff->input_encoding && internal_encoding) {
834
0
              unsigned char *new_filename;
835
0
              size_t new_filename_len;
836
0
              if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) {
837
0
                efree(filename);
838
0
                filename = (char *)new_filename;
839
0
              }
840
0
            }
841
0
          }
842
0
        }
843
0
        if (key) {
844
0
          efree(key);
845
0
        }
846
0
        efree(word);
847
0
      }
848
849
      /* Normal form variable, safe to read all data into memory */
850
0
      if (!filename && param) {
851
0
        size_t value_len;
852
0
        char *value = multipart_buffer_read_body(mbuff, &value_len);
853
0
        size_t new_val_len; /* Dummy variable */
854
855
0
        if (!value) {
856
0
          value = estrdup("");
857
0
          value_len = 0;
858
0
        }
859
860
0
        if (mbuff->input_encoding && internal_encoding) {
861
0
          unsigned char *new_value;
862
0
          size_t new_value_len;
863
0
          if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) {
864
0
            efree(value);
865
0
            value = (char *)new_value;
866
0
            value_len = new_value_len;
867
0
          }
868
0
        }
869
870
0
        if (++count <= max_input_vars && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) {
871
0
          if (php_rfc1867_callback != NULL) {
872
0
            multipart_event_formdata event_formdata;
873
0
            size_t newlength = new_val_len;
874
875
0
            event_formdata.post_bytes_processed = SG(read_post_bytes);
876
0
            event_formdata.name = param;
877
0
            event_formdata.value = &value;
878
0
            event_formdata.length = new_val_len;
879
0
            event_formdata.newlength = &newlength;
880
0
            if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) {
881
0
              efree(param);
882
0
              efree(value);
883
0
              continue;
884
0
            }
885
0
            new_val_len = newlength;
886
0
          }
887
0
          safe_php_register_variable(param, value, new_val_len, array_ptr, 0);
888
0
        } else {
889
0
          if (count == max_input_vars + 1) {
890
0
            EMIT_WARNING_OR_ERROR("Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", max_input_vars);
891
0
          }
892
893
0
          if (php_rfc1867_callback != NULL) {
894
0
            multipart_event_formdata event_formdata;
895
896
0
            event_formdata.post_bytes_processed = SG(read_post_bytes);
897
0
            event_formdata.name = param;
898
0
            event_formdata.value = &value;
899
0
            event_formdata.length = value_len;
900
0
            event_formdata.newlength = NULL;
901
0
            php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data);
902
0
          }
903
0
        }
904
905
0
        if (!strcasecmp(param, "MAX_FILE_SIZE")) {
906
0
          max_file_size = strtoll(value, NULL, 10);
907
0
        }
908
909
0
        efree(param);
910
0
        efree(value);
911
0
        continue;
912
0
      }
913
914
      /* If file_uploads=off, skip the file part */
915
0
      if (!PG(file_uploads)) {
916
0
        skip_upload = 1;
917
0
      } else if (upload_cnt <= 0) {
918
0
        skip_upload = 1;
919
0
        if (upload_cnt == 0) {
920
0
          --upload_cnt;
921
0
          EMIT_WARNING_OR_ERROR("Maximum number of allowable file uploads has been exceeded");
922
0
        }
923
0
      }
924
925
      /* Return with an error if the posted data is garbled */
926
0
      if (!param && !filename) {
927
0
        EMIT_WARNING_OR_ERROR("File Upload Mime headers garbled");
928
0
        goto fileupload_done;
929
0
      }
930
931
0
      if (!param) {
932
0
        param = emalloc(MAX_SIZE_ANONNAME);
933
0
        snprintf(param, MAX_SIZE_ANONNAME, "%u", anonymous_index++);
934
0
      }
935
936
      /* New Rule: never repair potential malicious user input */
937
0
      if (!skip_upload) {
938
0
        long c = 0;
939
0
        tmp = param;
940
941
0
        while (*tmp) {
942
0
          if (*tmp == '[') {
943
0
            c++;
944
0
          } else if (*tmp == ']') {
945
0
            c--;
946
0
            if (tmp[1] && tmp[1] != '[') {
947
0
              skip_upload = 1;
948
0
              break;
949
0
            }
950
0
          }
951
0
          if (c < 0) {
952
0
            skip_upload = 1;
953
0
            break;
954
0
          }
955
0
          tmp++;
956
0
        }
957
        /* Brackets should always be closed */
958
0
        if(c != 0) {
959
0
          skip_upload = 1;
960
0
        }
961
0
      }
962
963
0
      total_bytes = cancel_upload = 0;
964
0
      temp_filename = NULL;
965
0
      fd = -1;
966
967
0
      if (!skip_upload && php_rfc1867_callback != NULL) {
968
0
        multipart_event_file_start event_file_start;
969
970
0
        event_file_start.post_bytes_processed = SG(read_post_bytes);
971
0
        event_file_start.name = param;
972
0
        event_file_start.filename = &filename;
973
0
        if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) {
974
0
          temp_filename = NULL;
975
0
          efree(param);
976
0
          efree(filename);
977
0
          continue;
978
0
        }
979
0
      }
980
981
0
      if (skip_upload) {
982
0
        efree(param);
983
0
        efree(filename);
984
0
        continue;
985
0
      }
986
987
0
      if (filename[0] == '\0') {
988
#if DEBUG_FILE_UPLOAD
989
        sapi_module.sapi_error(E_NOTICE, "No file uploaded");
990
#endif
991
0
        cancel_upload = PHP_UPLOAD_ERROR_D;
992
0
      }
993
994
0
      offset = 0;
995
0
      end = 0;
996
997
0
      if (!cancel_upload) {
998
        /* only bother to open temp file if we have data */
999
0
        blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1000
#if DEBUG_FILE_UPLOAD
1001
        if (blen > 0) {
1002
#else
1003
        /* in non-debug mode we have no problem with 0-length files */
1004
0
        {
1005
0
#endif
1006
0
          fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK);
1007
0
          upload_cnt--;
1008
0
          if (fd == -1) {
1009
0
            EMIT_WARNING_OR_ERROR("File upload error - unable to create a temporary file");
1010
0
            cancel_upload = PHP_UPLOAD_ERROR_E;
1011
0
          }
1012
0
        }
1013
0
      }
1014
1015
0
      while (!cancel_upload && (blen > 0))
1016
0
      {
1017
0
        if (php_rfc1867_callback != NULL) {
1018
0
          multipart_event_file_data event_file_data;
1019
1020
0
          event_file_data.post_bytes_processed = SG(read_post_bytes);
1021
0
          event_file_data.offset = offset;
1022
0
          event_file_data.data = buff;
1023
0
          event_file_data.length = blen;
1024
0
          event_file_data.newlength = &blen;
1025
0
          if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) {
1026
0
            cancel_upload = PHP_UPLOAD_ERROR_X;
1027
0
            continue;
1028
0
          }
1029
0
        }
1030
1031
0
        if (upload_max_filesize > 0 && (zend_long)(total_bytes+blen) > upload_max_filesize) {
1032
#if DEBUG_FILE_UPLOAD
1033
          sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", upload_max_filesize, param, filename);
1034
#endif
1035
0
          cancel_upload = PHP_UPLOAD_ERROR_A;
1036
0
        } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
1037
#if DEBUG_FILE_UPLOAD
1038
          sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %" PRId64 " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1039
#endif
1040
0
          cancel_upload = PHP_UPLOAD_ERROR_B;
1041
0
        } else if (blen > 0) {
1042
#ifdef PHP_WIN32
1043
          wlen = write(fd, buff, (unsigned int)blen);
1044
#else
1045
0
          wlen = write(fd, buff, blen);
1046
0
#endif
1047
1048
0
          if (wlen == (size_t)-1) {
1049
            /* write failed */
1050
#if DEBUG_FILE_UPLOAD
1051
            sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1052
#endif
1053
0
            cancel_upload = PHP_UPLOAD_ERROR_F;
1054
0
          } else if (wlen < blen) {
1055
#if DEBUG_FILE_UPLOAD
1056
            sapi_module.sapi_error(E_NOTICE, "Only %zd bytes were written, expected to write %zd", wlen, blen);
1057
#endif
1058
0
            cancel_upload = PHP_UPLOAD_ERROR_F;
1059
0
          } else {
1060
0
            total_bytes += wlen;
1061
0
          }
1062
0
          offset += wlen;
1063
0
        }
1064
1065
        /* read data for next iteration */
1066
0
        blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1067
0
      }
1068
1069
0
      if (fd != -1) { /* may not be initialized if file could not be created */
1070
0
        close(fd);
1071
0
      }
1072
1073
0
      if (!cancel_upload && !end) {
1074
#if DEBUG_FILE_UPLOAD
1075
        sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1076
#endif
1077
0
        cancel_upload = PHP_UPLOAD_ERROR_C;
1078
0
      }
1079
#if DEBUG_FILE_UPLOAD
1080
      if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1081
        EMIT_WARNING_OR_ERROR("Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1082
        cancel_upload = 5;
1083
      }
1084
#endif
1085
0
      if (php_rfc1867_callback != NULL) {
1086
0
        multipart_event_file_end event_file_end;
1087
1088
0
        event_file_end.post_bytes_processed = SG(read_post_bytes);
1089
0
        event_file_end.temp_filename = temp_filename ? ZSTR_VAL(temp_filename) : NULL;
1090
0
        event_file_end.cancel_upload = cancel_upload;
1091
0
        if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data) == FAILURE) {
1092
0
          cancel_upload = PHP_UPLOAD_ERROR_X;
1093
0
        }
1094
0
      }
1095
1096
0
      if (cancel_upload) {
1097
0
        if (temp_filename) {
1098
0
          if (cancel_upload != PHP_UPLOAD_ERROR_E) { /* file creation failed */
1099
0
            unlink(ZSTR_VAL(temp_filename));
1100
0
          }
1101
0
          zend_string_release_ex(temp_filename, 0);
1102
0
        }
1103
0
        temp_filename = NULL;
1104
0
      } else {
1105
0
        zend_hash_add_ptr(SG(rfc1867_uploaded_files), temp_filename, temp_filename);
1106
0
      }
1107
1108
      /* is_arr_upload is true when name of file upload field
1109
       * ends in [.*]
1110
       * start_arr is set to point to 1st [ */
1111
0
      is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1112
1113
0
      if (is_arr_upload) {
1114
0
        array_len = strlen(start_arr);
1115
0
        if (array_index) {
1116
0
          efree(array_index);
1117
0
        }
1118
0
        array_index = estrndup(start_arr + 1, array_len - 2);
1119
0
      }
1120
1121
      /* Add $foo_name */
1122
0
      if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1123
0
        llen = (int)strlen(param);
1124
0
        lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1125
0
        llen += MAX_SIZE_OF_INDEX + 1;
1126
0
      }
1127
1128
0
      if (is_arr_upload) {
1129
0
        if (abuf) efree(abuf);
1130
0
        abuf = estrndup(param, strlen(param)-array_len);
1131
0
        snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1132
0
      } else {
1133
0
        snprintf(lbuf, llen, "%s_name", param);
1134
0
      }
1135
1136
      /* Pursuant to RFC 7578, strip any path components in the
1137
       * user-supplied file name:
1138
       *  > If a "filename" parameter is supplied ... do not use
1139
       *  > directory path information that may be present."
1140
       */
1141
0
      s = _basename(internal_encoding, filename);
1142
0
      if (!s) {
1143
0
        s = filename;
1144
0
      }
1145
1146
      /* Add $foo[name] */
1147
0
      if (is_arr_upload) {
1148
0
        snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1149
0
      } else {
1150
0
        snprintf(lbuf, llen, "%s[name]", param);
1151
0
      }
1152
0
      register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0);
1153
0
      s = NULL;
1154
1155
      /* Add full path of supplied file for folder uploads via
1156
       * <input type="file" name="files" multiple webkitdirectory>
1157
       */
1158
      /* Add $foo[full_path] */
1159
0
      if (is_arr_upload) {
1160
0
        snprintf(lbuf, llen, "%s[full_path][%s]", abuf, array_index);
1161
0
      } else {
1162
0
        snprintf(lbuf, llen, "%s[full_path]", param);
1163
0
      }
1164
0
      register_http_post_files_variable(lbuf, filename, &PG(http_globals)[TRACK_VARS_FILES], 0);
1165
0
      efree(filename);
1166
1167
      /* Possible Content-Type: */
1168
0
      if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1169
0
        cd = "";
1170
0
      } else {
1171
        /* fix for Opera 6.01 */
1172
0
        s = strchr(cd, ';');
1173
0
        if (s != NULL) {
1174
0
          *s = '\0';
1175
0
        }
1176
0
      }
1177
1178
      /* Add $foo[type] */
1179
0
      if (is_arr_upload) {
1180
0
        snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1181
0
      } else {
1182
0
        snprintf(lbuf, llen, "%s[type]", param);
1183
0
      }
1184
0
      register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0);
1185
1186
      /* Restore Content-Type Header */
1187
0
      if (s != NULL) {
1188
0
        *s = ';';
1189
0
      }
1190
0
      s = "";
1191
1192
0
      {
1193
        /* store temp_filename as-is (in case upload_tmp_dir
1194
         * contains escapable characters. escape only the variable name.) */
1195
0
        zval zfilename;
1196
1197
        /* Initialize variables */
1198
0
        add_protected_variable(param);
1199
1200
        /* Add $foo[tmp_name] */
1201
0
        if (is_arr_upload) {
1202
0
          snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1203
0
        } else {
1204
0
          snprintf(lbuf, llen, "%s[tmp_name]", param);
1205
0
        }
1206
0
        add_protected_variable(lbuf);
1207
0
        if (temp_filename) {
1208
0
          ZVAL_STR_COPY(&zfilename, temp_filename);
1209
0
        } else {
1210
0
          ZVAL_EMPTY_STRING(&zfilename);
1211
0
        }
1212
0
        register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1);
1213
0
      }
1214
1215
0
      {
1216
0
        zval file_size, error_type;
1217
0
        int size_overflow = 0;
1218
0
        char file_size_buf[65];
1219
1220
0
        ZVAL_LONG(&error_type, cancel_upload);
1221
1222
        /* Add $foo[error] */
1223
0
        if (cancel_upload) {
1224
0
          ZVAL_LONG(&file_size, 0);
1225
0
        } else {
1226
0
          if (total_bytes > ZEND_LONG_MAX) {
1227
#ifdef PHP_WIN32
1228
            if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1229
              file_size_buf[0] = '0';
1230
              file_size_buf[1] = '\0';
1231
            }
1232
#else
1233
0
            {
1234
0
              int __len = snprintf(file_size_buf, 65, "%" PRId64, total_bytes);
1235
0
              file_size_buf[__len] = '\0';
1236
0
            }
1237
0
#endif
1238
0
            size_overflow = 1;
1239
1240
0
          } else {
1241
0
            ZVAL_LONG(&file_size, total_bytes);
1242
0
          }
1243
0
        }
1244
1245
0
        if (is_arr_upload) {
1246
0
          snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1247
0
        } else {
1248
0
          snprintf(lbuf, llen, "%s[error]", param);
1249
0
        }
1250
0
        register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0);
1251
1252
        /* Add $foo[size] */
1253
0
        if (is_arr_upload) {
1254
0
          snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1255
0
        } else {
1256
0
          snprintf(lbuf, llen, "%s[size]", param);
1257
0
        }
1258
0
        if (size_overflow) {
1259
0
          ZVAL_STRING(&file_size, file_size_buf);
1260
0
        }
1261
0
        register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow);
1262
0
      }
1263
0
      efree(param);
1264
0
    }
1265
0
  }
1266
1267
0
fileupload_done:
1268
0
  if (php_rfc1867_callback != NULL) {
1269
0
    multipart_event_end event_end;
1270
1271
0
    event_end.post_bytes_processed = SG(read_post_bytes);
1272
0
    php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data);
1273
0
  }
1274
1275
0
  if (lbuf) efree(lbuf);
1276
0
  if (abuf) efree(abuf);
1277
0
  if (array_index) efree(array_index);
1278
0
  zend_hash_destroy(&PG(rfc1867_protected_variables));
1279
0
  zend_llist_destroy(&header);
1280
0
  if (mbuff->boundary_next) efree(mbuff->boundary_next);
1281
0
  if (mbuff->boundary) efree(mbuff->boundary);
1282
0
  if (mbuff->buffer) efree(mbuff->buffer);
1283
0
  if (mbuff) efree(mbuff);
1284
1285
0
#undef EMIT_WARNING_OR_ERROR
1286
0
}
1287
/* }}} */
1288
1289
SAPI_API void php_rfc1867_set_multibyte_callbacks(
1290
          php_rfc1867_encoding_translation_t encoding_translation,
1291
          php_rfc1867_get_detect_order_t get_detect_order,
1292
          php_rfc1867_set_input_encoding_t set_input_encoding,
1293
          php_rfc1867_getword_t getword,
1294
          php_rfc1867_getword_conf_t getword_conf,
1295
          php_rfc1867_basename_t basename) /* {{{ */
1296
0
{
1297
0
  php_rfc1867_encoding_translation = encoding_translation;
1298
0
  php_rfc1867_get_detect_order = get_detect_order;
1299
0
  php_rfc1867_set_input_encoding = set_input_encoding;
1300
0
  php_rfc1867_getword = getword;
1301
0
  php_rfc1867_getword_conf = getword_conf;
1302
0
  php_rfc1867_basename = basename;
1303
0
}
1304
/* }}} */