PHP :: Bug #60788 :: Curl file upload send bogus data to lighttpd web server

Bug #60788	Curl file upload send bogus data to lighttpd web server
Submitted:	2012-01-18 11:48 UTC	Modified:	2012-01-18 17:11 UTC
From:	valentin_grigoras at yahoo dot com	Assigned:
Status:	Not a bug	Package:	cURL related
PHP Version:	5.3.9	OS:	Linux/Windows
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2012-01-18 11:48 UTC] valentin_grigoras at yahoo dot com

Description:
------------
Curl file upload fail when destination server was Lighttpd because received data is altered (POST variable FORM_file_name is set to original path of the uploaded file instead of actual file name).


Destination server has 	lighttpd/1.4.29
Test servers had PHP 5.2.4, 5.3.2 (ubuntu 5.14) and 5.3.8 (Windows).
Last one was updated to 5.3.9

Following code works on PHP 5.2.x and worked on older versions of PHP, but does not work on any 5.3.x versions.
Same code was tested against Apache web server and it worked.

Test script:
---------------
<?php
$url_post['myfile']='@/tmp/test_remote.txt';
		
$myHeaders=array(
	"Expect:"
);
		
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://xx.xx.xx.xx/cgi-bin/test.sh");
curl_setopt($ch, CURLOPT_PORT, 80);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $myHeaders);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_POSTFIELDS, $url_post);

$curl_reponse=curl_exec($ch);		
	
echo 'Response: '.$curl_reponse;
?>


Expected result:
----------------
CONTENT_TYPE=multipart/form-data; boundary=----------------------------0de142dacc53
GATEWAY_INTERFACE=CGI/1.1
HASERL_SHELL=/bin/sh
HASERLVER=0.9.27
REMOTE_ADDR=xx.xx.xx.xx
POST_myfile=/tmp/m1fafJ
HASERL_UPLOAD_DIR=/tmp
DOCUMENT_ROOT=/www/
REMOTE_PORT=47209
HTTP_ACCEPT=*/*
CONTENT_LENGTH=195
POST_myfile_name=test_remote.txt
HASERL_UPLOAD_LIMIT=1000
SCRIPT_FILENAME=/www/cgi-bin/test.sh
HTTP_HOST=xx.xx.xx.xx
REQUEST_URI=/cgi-bin/test.sh
HASERL_myfile_path=/tmp/m1fafJ
SERVER_SOFTWARE=lighttpd/1.4.29
HASERL_ACCEPT_ALL=0
FORM_myfile=/tmp/m1fafJ
SERVER_PROTOCOL=HTTP/1.1
SESSIONID=6c004f16ab26
REDIRECT_STATUS=200
FORM_myfile_name=test_remote.txt
REQUEST_METHOD=POST
SERVER_ADDR=0.0.0.0
PWD=/www/cgi-bin/cmh
SERVER_PORT=80
SCRIPT_NAME=/cgi-bin/test.sh
HTTP_CONTENT_LENGTH=195
SERVER_NAME=xx.xx.xx.xx

Actual result:
--------------
CONTENT_TYPE=multipart/form-data; boundary=----------------------------bc7136747ad5
GATEWAY_INTERFACE=CGI/1.1
HASERL_SHELL=/bin/sh
HASERLVER=0.9.27
REMOTE_ADDR=xx.xx.xx.xx
POST_myfile=/tmp/Y9JqDF
HASERL_UPLOAD_DIR=/tmp
DOCUMENT_ROOT=/www/
REMOTE_PORT=52983
HTTP_ACCEPT=*/*
CONTENT_LENGTH=10790
POST_myfile_name=/tmp/test_remote.txt
HASERL_UPLOAD_LIMIT=1000
SCRIPT_FILENAME=/www/cgi-bin/test.sh
HTTP_HOST=xx.xx.xx.xx
REQUEST_URI=/cgi-bin/test.sh
HASERL_myfile_path=/tmp/Y9JqDF
SERVER_SOFTWARE=lighttpd/1.4.29
HASERL_ACCEPT_ALL=0
FORM_myfile=/tmp/Y9JqDF
SERVER_PROTOCOL=HTTP/1.1
SESSIONID=6aa54f16ab0a
REDIRECT_STATUS=200
FORM_myfile_name=/tmp/test_remote.txt
REQUEST_METHOD=POST
SERVER_ADDR=0.0.0.0
PWD=/www/cgi-bin
SERVER_PORT=80
SCRIPT_NAME=/cgi-bin/test.sh
HTTP_CONTENT_LENGTH=10790
SERVER_NAME=192.168.8.30

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-01-18 17:11 UTC] pajoye@php.net

-Status: Open +Status: Bogus

[2012-01-18 17:11 UTC] pajoye@php.net

It is not something PHP is responsible for, but here is the comment from the 
cURL project lead:

"it is correct in the sense that libcurl will use the path name specified to it. 
it is wrong in the sense that a receiver should not assume otherwise"

If you still consider that this should be different, please discuss this issue 
in the cURL tracker or on their mailing list.

[2012-01-26 10:16 UTC] valentin_grigoras at yahoo dot com

I don't see how it is a curl issue, since if I do the upload from command line, it works as expected, including from the servers with PHP 5.3.9:

curl -F "myfile=@/tmp/test_remote.txt" "http://xx.xx.xx.xx/cgi-bin/test.sh" --header "Expect:" > /tmp/response.txt

When I try attached code from PHP 5.3.x the file is sent to Lighttpd server so upload actually works (I assume this is "correct" part from your answer) but the server variables are not correct and filename is not received properly.

"it is wrong in the sense that a receiver should not assume otherwise"
I'm not sure how to interpret this, since I attached environment variables to see that POST_myfile_name=/tmp/test_remote.txt (sender full path) instead of POST_myfile_name=test_remote.txt (the name of uploaded file).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 27 06:01:30 2024 UTC