diff options
author | Pierre Schmitz <pierre@archlinux.de> | 2015-12-18 06:04:58 +0100 |
---|---|---|
committer | Pierre Schmitz <pierre@archlinux.de> | 2015-12-18 06:04:58 +0100 |
commit | 257401d8b2cf661adf36c84b0e3fd1cf85e33c22 (patch) | |
tree | f8c25e7fa0c2ba18f27c52415c19cb579a316178 /includes/libs/MultiHttpClient.php | |
parent | a1789ddde42033f1b05cc4929491214ee6e79383 (diff) |
Update to MediaWiki 1.26.1
Diffstat (limited to 'includes/libs/MultiHttpClient.php')
-rw-r--r-- | includes/libs/MultiHttpClient.php | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/includes/libs/MultiHttpClient.php b/includes/libs/MultiHttpClient.php index 6af3ed51..5555cbcb 100644 --- a/includes/libs/MultiHttpClient.php +++ b/includes/libs/MultiHttpClient.php @@ -335,6 +335,19 @@ class MultiHttpClient { ); } elseif ( $req['method'] === 'POST' ) { curl_setopt( $ch, CURLOPT_POST, 1 ); + // Don't interpret POST parameters starting with '@' as file uploads, because this + // makes it impossible to POST plain values starting with '@' (and causes security + // issues potentially exposing the contents of local files). + // The PHP manual says this option was introduced in PHP 5.5 defaults to true in PHP 5.6, + // but we support lower versions, and the option doesn't exist in HHVM 5.6.99. + if ( defined( 'CURLOPT_SAFE_UPLOAD' ) ) { + curl_setopt( $ch, CURLOPT_SAFE_UPLOAD, true ); + } else if ( is_array( $req['body'] ) ) { + // In PHP 5.2 and later, '@' is interpreted as a file upload if POSTFIELDS + // is an array, but not if it's a string. So convert $req['body'] to a string + // for safety. + $req['body'] = wfArrayToCgi( $req['body'] ); + } curl_setopt( $ch, CURLOPT_POSTFIELDS, $req['body'] ); } else { if ( is_resource( $req['body'] ) || $req['body'] !== '' ) { |