Page MenuHomePhabricator
Files F2924372

0001-Work-around-CURL-insanity-breaking-POST-parameters-t.patch
Catrope (Roan Kattouw)
Actions

Authored By
Catrope
Nov 7 2015, 12:44 AM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-Work-around-CURL-insanity-breaking-POST-parameters-t.patch
View Options

From 7748d48657d1d6f56bed7da093a94df46582fea0 Mon Sep 17 00:00:00 2001
From: Roan Kattouw <roan.kattouw@gmail.com>
Date: Fri, 6 Nov 2015 12:55:16 -0800
Subject: [PATCH] Work around CURL insanity breaking POST parameters that start
with '@'
CURL has a "feature" where passing array( 'foo' => '@bar' )
in CURLOPT_POSTFIELDS results in the contents of the file named "bar"
being POSTed. This makes it impossible to POST the literal string "@bar",
because array( 'foo' => '%40bar' ) gets double-encoded to foo=%2540bar.
Disable this "feature" by setting CURLOPT_SAFE_UPLOAD to true.
According to the PHP manual, this defaults to true starting with
5.6.0, but we've observed this behavior in production with 5.6.99-hhvm,
so that suggests that HHVM hasn't picked up this change.
Bug: T118032
Change-Id: I3f996e2eb87c7bd3b94ca9d3cc14a3e12f34f241
---
includes/HttpFunctions.php | 5 +++++
includes/libs/MultiHttpClient.php | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 60196ab..8372401 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -782,6 +782,11 @@ class CurlHttpRequest extends MWHttpRequest {
} elseif ( $this->method == 'POST' ) {
$this->curlOptions[CURLOPT_POST] = true;
$this->curlOptions[CURLOPT_POSTFIELDS] = $this->postData;
+ // Don't interpret POST parameters starting with '@' as file uploads, because this
+ // makes it impossible to POST plain values starting with '@'.
+ // The PHP manual says this defaults to true in PHP 5.6 and up, but we support
+ // lower versions, and it doesn't actually seem to default to true in HHVM 5.6.99.
+ $this->curlOptions[CURLOPT_SAFE_UPLOAD] = true;
// Suppress 'Expect: 100-continue' header, as some servers
// will reject it with a 417 and Curl won't auto retry
// with HTTP 1.0 fallback
diff --git a/includes/libs/MultiHttpClient.php b/includes/libs/MultiHttpClient.php
index c6fa914..c848fba 100644
--- a/includes/libs/MultiHttpClient.php
+++ b/includes/libs/MultiHttpClient.php
@@ -338,6 +338,11 @@ class MultiHttpClient {
);
} elseif ( $req['method'] === 'POST' ) {
curl_setopt( $ch, CURLOPT_POST, 1 );
+ // Don't interpret POST parameters starting with '@' as file uploads, because this
+ // makes it impossible to POST plain values starting with '@'.
+ // The PHP manual says this defaults to true in PHP 5.6 and up, but we support
+ // lower versions, and it doesn't actually seem to default to true in HHVM 5.6.99.
+ curl_setopt( $ch, CURLOPT_SAFE_UPLOAD, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, $req['body'] );
} else {
if ( is_resource( $req['body'] ) || $req['body'] !== '' ) {
--
1.9.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2935202
Default Alt Text
0001-Work-around-CURL-insanity-breaking-POST-parameters-t.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL