Fixed bug #33673 (Added detection for partially uploaded files).

awildeep · Jul 13, 2005 · 85e2378 · 85e2378
1 parent bc9bc39
commit 85e2378
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 5 deletions.
diff --git a/NEWS b/NEWS
@@ -16,6 +16,7 @@ PHP                                                                        NEWS
 - Fixed memory corruption in pg_copy_from() in case the as_null parameter was
   passed. (Derick)
 - Fixed crash inside stream_get_line() when length parameter equals 0. (Ilia)
+- Fixed bug #33673 (Added detection for partially uploaded files). (Ilia)
 - Fixed bug #33605 (substr_compare() crashes with negative offset and length). 
   (Tony)
 - Fixed bug #33597 (setcookie() "expires" date format doesn't comply with RFC).

diff --git a/main/rfc1867.c b/main/rfc1867.c
@@ -131,6 +131,7 @@ void php_mb_gpc_stack_variable(char *param, char *value, char ***pval_list, int
 #define UPLOAD_ERROR_C    3  /* Partially uploaded */
 #define UPLOAD_ERROR_D    4  /* No file uploaded */
 #define UPLOAD_ERROR_E    6  /* Missing /tmp or similar directory */
+#define UPLOAD_ERROR_F    7  /* Failed to write file to disk */
 
 void php_rfc1867_register_constants(TSRMLS_D)
 {
@@ -140,6 +141,7 @@ void php_rfc1867_register_constants(TSRMLS_D)
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL",    UPLOAD_ERROR_C,  CONST_CS | CONST_PERSISTENT);
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE",    UPLOAD_ERROR_D,  CONST_CS | CONST_PERSISTENT);
 	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E,  CONST_CS | CONST_PERSISTENT);
+	REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F,  CONST_CS | CONST_PERSISTENT);
 }
 
 static void normalize_protected_variable(char *varname TSRMLS_DC)
@@ -704,7 +706,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
 
 
 /* read until a boundary condition */
-static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes TSRMLS_DC)
+static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
 {
 	int len, max;
 	char *bound;
@@ -717,6 +719,9 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes TS
 	/* look for a potential boundary match, only read data up to that point */
 	if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
 		max = bound - self->buf_begin;
+		if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
+			*end = 1;
+		}
 	} else {
 		max = self->bytes_in_buffer;
 	}
@@ -753,7 +758,7 @@ static char *multipart_buffer_read_body(multipart_buffer *self TSRMLS_DC)
 	char buf[FILLUNIT], *out=NULL;
 	int total_bytes=0, read_bytes=0;
 
-	while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf) TSRMLS_CC))) {
+	while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
 		out = erealloc(out, total_bytes + read_bytes + 1);
 		memcpy(out + total_bytes, buf, read_bytes);
 		total_bytes += read_bytes;
@@ -858,6 +863,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 
 		if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
 			char *pair=NULL;
+			int end=0;
 
 			while (isspace(*cd)) {
 				++cd;
@@ -988,7 +994,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 				cancel_upload = UPLOAD_ERROR_D;
 			}
 
-			while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff) TSRMLS_CC)))
+			end = 0;
+			while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC)))
 			{
 				if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {
 #if DEBUG_FILE_UPLOAD
@@ -1007,7 +1014,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 #if DEBUG_FILE_UPLOAD
 						sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
 #endif
-						cancel_upload = UPLOAD_ERROR_C;
+						cancel_upload = UPLOAD_ERROR_F;
 					} else {
 						total_bytes += wlen;
 					}
@@ -1016,7 +1023,12 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 			if (fd!=-1) { /* may not be initialized if file could not be created */
 				close(fd);
 			}
-
+			if (!cancel_upload && !end) {
+#if DEBUG_FILE_UPLOAD
+				sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", strlen(filename) > 0 ? filename : "");
+#endif
+				cancel_upload = UPLOAD_ERROR_C;
+			}
 #if DEBUG_FILE_UPLOAD
 			if(strlen(filename) > 0 && total_bytes == 0 && !cancel_upload) {
 				sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);