Home Original page

Curl post upload functions changed

Bug #49921 Curl post upload functions changed
Submitted: 2009-10-19 13:50 UTC Modified: 2009-10-26 12:57 UTC
From: jon at feburman dot co dot uk Assigned: iliaa (profile)
Status: Closed Package: cURL related
PHP Version: 5.*, 6 (2009-10-21) OS: *
Private report: No CVE-ID: None

 [2009-10-19 13:50 UTC] jon at feburman dot co dot uk

Description:
------------
Files being uploaded via http post come across with a url encoded 
version of the whole file path rather than just the name part as it did 
in older versions of PHP. 

Reproduce code:
---------------
	function upload($dir, $file, $userpass) {
		if( ! $this->cURLcheckBasicFunctions() ) return false;
		$ch = curl_init();
		if($ch) {
			$data = array('dir' => $dir, 'filedata0' => "@$file");
			
			if( !curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ) return false;
			if( !curl_setopt($ch, CURLOPT_URL, $this->url)) return false;
			if( !curl_setopt($ch, CURLOPT_USERPWD, $userpass)) return false;
			if( !curl_setopt($ch, CURLOPT_POST, 1)) return false;
			if( !curl_setopt($ch, CURLOPT_POSTFIELDS, $data)) return false;
		
			if( !curl_exec($ch) ) return false;
			curl_close($ch);
			return true;
		}
		else return false;
	}


Expected result:
----------------
File arrives on remote server called 
"SAV2906_A4L_4pp_D_shipping_label.pdf"

Actual result:
--------------
File arrives on remote server called 
":2Fvar:2Fwww:2Fvhosts:2Ffeburman.co.uk:2Fhttpdocs:2Fsprint:2Fjobs:2Fjob
2906:2FSAV2906_A4L_4pp_D_shipping_label.pdf"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2009-10-19 14:31 UTC] jani@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

 [2009-10-19 17:44 UTC] jon at feburman dot co dot uk

I have had to go back to 5.2.10 (which works correctly) as this bug broke our live site, so I cannot test this - and you will need 
to fill in some values for the variables at the bottom.

But, off the top of my head, something like:

<?PHP


function upload($dir, $file, $userpass, $url) {

	$ch = curl_init();
	if($ch) {
		$data = array('dir' => $dir, 'filedata0' => "@$file");
			
		if( !curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ) return false;
		if( !curl_setopt($ch, CURLOPT_URL, $url)) return false;
		if( !curl_setopt($ch, CURLOPT_USERPWD, $userpass)) return false;
		if( !curl_setopt($ch, CURLOPT_POST, 1)) return false;
		if( !curl_setopt($ch, CURLOPT_POSTFIELDS, $data)) return false;
		
		if( !curl_exec($ch) ) return false;
		curl_close($ch);
		return true;
	}
	else return false;
}
$dir = "uploads"; //Not needed - but in our case this was a required post
$file = "/local/path/to/a/file"; //Local path to a file
$userpass = "auser:apasswd"; //Remote login details
$url = "remote/upload/url"; //A remote upload page

upload($dir, $file, $userpass, $url);
?>

On the remote system see what the upload file is called. If it makes any difference, our remote system was a Solaris 9 box.

 [2009-10-26 12:57 UTC] iliaa@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.