On Sun, March 11, 2012 6:29 pm, Stas Malyshev wrote: > Hi! > >> I'd sure like a PHP extension that didn't have this obvious and >> nasty bug: >> >> https://bugs.php.net/bug.php?id=46439 > > This doesn't look good. Documentation does say the @ prefix exists, > but > it has very high potential of creating security holes for unsuspecting > people. open_basedir would help limit the impact, but still it's not a > good thing. Any ideas on fixing it without breaking the BC?
Ouch. Issue an E_NOTICE when it happens? Add a new CURLOPT_FILEFIELDS that takes an array of the parameters that are supposed to be files, so the ones that are expected to have "@..." do not fire the E_NOTICE. Issuing E_NOTICE is a BC, I suppose, but you'd think people would appreciate an alert about a potential security threat... -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
