add multipart_uri_whitelist INI option

chopins · chopins · commit a92fc9fb89e7 · 2026-02-03T14:56:19.000+08:00
diff --git a/main/SAPI.h b/main/SAPI.h
@@ -141,6 +141,7 @@ typedef struct _sapi_globals_struct {
 	char *default_charset;
 	HashTable *rfc1867_uploaded_files;
 	zend_long post_max_size;
+	char *multipart_uri_whitelist;
 	int options;
 	bool sapi_started;
 	double global_request_time;
diff --git a/main/main.c b/main/main.c
@@ -878,6 +878,7 @@ PHP_INI_BEGIN()
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("max_file_uploads",			"20",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
 	PHP_INI_ENTRY("max_multipart_body_parts",	"-1",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
+	STD_PHP_INI_ENTRY("multipart_uri_whitelist", NULL,			PHP_INI_PERDIR,		OnUpdateString,		multipart_uri_whitelist, sapi_globals_struct,	sapi_globals)
 
 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,		core_globals)
 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,		core_globals)
diff --git a/main/rfc1867.c b/main/rfc1867.c
@@ -670,6 +670,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 	zend_long post_max_size = REQUEST_PARSE_BODY_OPTION_GET(post_max_size, SG(post_max_size));
 	zend_long max_input_vars = REQUEST_PARSE_BODY_OPTION_GET(max_input_vars, PG(max_input_vars));
 	zend_long upload_max_filesize = REQUEST_PARSE_BODY_OPTION_GET(upload_max_filesize, PG(upload_max_filesize));
+	char *multipart_uri_whitelist = SG(multipart_uri_whitelist);
 	const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
 	php_rfc1867_getword_t getword;
 	php_rfc1867_getword_conf_t getword_conf;
@@ -694,6 +695,24 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 		_basename = php_ap_basename;
 	}
 
+	if(multipart_uri_whitelist != NULL) {
+		char *uri = strtok(multipart_uri_whitelist, ":");
+		bool find = 0;
+
+		while (uri)
+		{
+			if(strcasecmp(SG(request_info).request_uri, uri) == 0) {
+				find = 1;
+				break;
+			}
+			uri = strtok(NULL, ":");
+		}
+		if(!find) {
+			EMIT_WARNING_OR_ERROR("request uri %s is not allow POST multipart body", SG(request_info).request_uri);
+			return;
+		}
+	}
+
 	if (post_max_size > 0 && SG(request_info).content_length > post_max_size) {
 		EMIT_WARNING_OR_ERROR("POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, post_max_size);
 		return;
