php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60788 Curl file upload send bogus data to lighttpd web server
Submitted: 2012-01-18 11:48 UTC Modified: 2012-01-18 17:11 UTC
From: valentin_grigoras at yahoo dot com Assigned:
Status: Not a bug Package: cURL related
PHP Version: 5.3.9 OS: Linux/Windows
Private report: No CVE-ID: None
 [2012-01-18 11:48 UTC] valentin_grigoras at yahoo dot com
Description:
------------
Curl file upload fail when destination server was Lighttpd because received data is altered (POST variable FORM_file_name is set to original path of the uploaded file instead of actual file name).


Destination server has 	lighttpd/1.4.29
Test servers had PHP 5.2.4, 5.3.2 (ubuntu 5.14) and 5.3.8 (Windows).
Last one was updated to 5.3.9

Following code works on PHP 5.2.x and worked on older versions of PHP, but does not work on any 5.3.x versions.
Same code was tested against Apache web server and it worked.

Test script:
---------------
<?php
$url_post['myfile']='@/tmp/test_remote.txt';
		
$myHeaders=array(
	"Expect:"
);
		
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://xx.xx.xx.xx/cgi-bin/test.sh");
curl_setopt($ch, CURLOPT_PORT, 80);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $myHeaders);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_POSTFIELDS, $url_post);

$curl_reponse=curl_exec($ch);		
	
echo 'Response: '.$curl_reponse;
?>


Expected result:
----------------
CONTENT_TYPE=multipart/form-data; boundary=----------------------------0de142dacc53
GATEWAY_INTERFACE=CGI/1.1
HASERL_SHELL=/bin/sh
HASERLVER=0.9.27
REMOTE_ADDR=xx.xx.xx.xx
POST_myfile=/tmp/m1fafJ
HASERL_UPLOAD_DIR=/tmp
DOCUMENT_ROOT=/www/
REMOTE_PORT=47209
HTTP_ACCEPT=*/*
CONTENT_LENGTH=195
POST_myfile_name=test_remote.txt
HASERL_UPLOAD_LIMIT=1000
SCRIPT_FILENAME=/www/cgi-bin/test.sh
HTTP_HOST=xx.xx.xx.xx
REQUEST_URI=/cgi-bin/test.sh
HASERL_myfile_path=/tmp/m1fafJ
SERVER_SOFTWARE=lighttpd/1.4.29
HASERL_ACCEPT_ALL=0
FORM_myfile=/tmp/m1fafJ
SERVER_PROTOCOL=HTTP/1.1
SESSIONID=6c004f16ab26
REDIRECT_STATUS=200
FORM_myfile_name=test_remote.txt
REQUEST_METHOD=POST
SERVER_ADDR=0.0.0.0
PWD=/www/cgi-bin/cmh
SERVER_PORT=80
SCRIPT_NAME=/cgi-bin/test.sh
HTTP_CONTENT_LENGTH=195
SERVER_NAME=xx.xx.xx.xx

Actual result:
--------------
CONTENT_TYPE=multipart/form-data; boundary=----------------------------bc7136747ad5
GATEWAY_INTERFACE=CGI/1.1
HASERL_SHELL=/bin/sh
HASERLVER=0.9.27
REMOTE_ADDR=xx.xx.xx.xx
POST_myfile=/tmp/Y9JqDF
HASERL_UPLOAD_DIR=/tmp
DOCUMENT_ROOT=/www/
REMOTE_PORT=52983
HTTP_ACCEPT=*/*
CONTENT_LENGTH=10790
POST_myfile_name=/tmp/test_remote.txt
HASERL_UPLOAD_LIMIT=1000
SCRIPT_FILENAME=/www/cgi-bin/test.sh
HTTP_HOST=xx.xx.xx.xx
REQUEST_URI=/cgi-bin/test.sh
HASERL_myfile_path=/tmp/Y9JqDF
SERVER_SOFTWARE=lighttpd/1.4.29
HASERL_ACCEPT_ALL=0
FORM_myfile=/tmp/Y9JqDF
SERVER_PROTOCOL=HTTP/1.1
SESSIONID=6aa54f16ab0a
REDIRECT_STATUS=200
FORM_myfile_name=/tmp/test_remote.txt
REQUEST_METHOD=POST
SERVER_ADDR=0.0.0.0
PWD=/www/cgi-bin
SERVER_PORT=80
SCRIPT_NAME=/cgi-bin/test.sh
HTTP_CONTENT_LENGTH=10790
SERVER_NAME=192.168.8.30

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-18 17:11 UTC] pajoye@php.net
-Status: Open +Status: Bogus
 [2012-01-18 17:11 UTC] pajoye@php.net
It is not something PHP is responsible for, but here is the comment from the 
cURL project lead:

"it is correct in the sense that libcurl will use the path name specified to it. 
it is wrong in the sense that a receiver should not assume otherwise"

If you still consider that this should be different, please discuss this issue 
in the cURL tracker or on their mailing list.
 [2012-01-26 10:16 UTC] valentin_grigoras at yahoo dot com
I don't see how it is a curl issue, since if I do the upload from command line, it works as expected, including from the servers with PHP 5.3.9:

curl -F "myfile=@/tmp/test_remote.txt" "http://xx.xx.xx.xx/cgi-bin/test.sh" --header "Expect:" > /tmp/response.txt

When I try attached code from PHP 5.3.x the file is sent to Lighttpd server so upload actually works (I assume this is "correct" part from your answer) but the server variables are not correct and filename is not received properly.

"it is wrong in the sense that a receiver should not assume otherwise"
I'm not sure how to interpret this, since I attached environment variables to see that POST_myfile_name=/tmp/test_remote.txt (sender full path) instead of POST_myfile_name=test_remote.txt (the name of uploaded file).
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Sep 19 13:01:34 2019 UTC