Skip to content

Fix broken files upload on php > 5.6.0 #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 27, 2016
Merged

Fix broken files upload on php > 5.6.0 #52

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a12837e
Fix broken file uploads with php version > 5.6
Sep 24, 2015
048d96d
Fix broken file uploads with php version < 5.4
Sep 24, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions src/Jira/Api/Client/CurlClient.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ public function sendRequest($method, $url, $data = array(), $endpoint, Authentic
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl, CURLOPT_VERBOSE, $debug);
if ($isFile) {
if (defined('CURLOPT_SAFE_UPLOAD')) {
curl_setopt($curl, CURLOPT_SAFE_UPLOAD, false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused. Documentation for this option says this:

TRUE to disable support for the @ prefix for uploading files in CURLOPT_POSTFIELDS, which means that values starting with @ can be safely passed as fields. CURLFile may be used for uploads instead.

so the value false is enabling unsafe mode, that allows @ usage for filename uploads.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see now. The createAttachment method uses @ for file upload according to https://docs.atlassian.com/jira/REST/latest/#api/2/issue/{issueIdOrKey}/attachments-addAttachment .

Then it's OK for now, but might be bad in long term from security point of view when an attacker has control over name of the filename, that is uploaded it can trick CURL into uploading any other expect specified file.

}
curl_setopt($curl, CURLOPT_HTTPHEADER, array('X-Atlassian-Token: nocheck'));
} else {
curl_setopt($curl, CURLOPT_HTTPHEADER, array("Content-Type: application/json;charset=UTF-8"));
Expand All @@ -82,11 +85,9 @@ public function sendRequest($method, $url, $data = array(), $endpoint, Authentic
} else {
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($data));
}
} else {
if ($method == "PUT") {
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($data));
}
} elseif ($method == "PUT") {
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($data));
}

$data = curl_exec($curl);
Expand Down