From a92fc9fb89e747c8ac43a5f9406694ae01a62ef5 Mon Sep 17 00:00:00 2001 From: Xiao Chopins Date: Tue, 3 Feb 2026 14:56:19 +0800 Subject: [PATCH 1/2] add multipart_uri_whitelist INI option --- main/SAPI.h | 1 + main/main.c | 1 + main/rfc1867.c | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+) diff --git a/main/SAPI.h b/main/SAPI.h index 9196982f54951..22c3adb78ba42 100644 --- a/main/SAPI.h +++ b/main/SAPI.h @@ -141,6 +141,7 @@ typedef struct _sapi_globals_struct { char *default_charset; HashTable *rfc1867_uploaded_files; zend_long post_max_size; + char *multipart_uri_whitelist; int options; bool sapi_started; double global_request_time; diff --git a/main/main.c b/main/main.c index 446ac0fcb7970..6d9ce4c65a511 100644 --- a/main/main.c +++ b/main/main.c @@ -878,6 +878,7 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) + STD_PHP_INI_ENTRY("multipart_uri_whitelist", NULL, PHP_INI_PERDIR, OnUpdateString, multipart_uri_whitelist, sapi_globals_struct, sapi_globals) STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) diff --git a/main/rfc1867.c b/main/rfc1867.c index f6ffb6fabc7f1..b803ad7648c5b 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -670,6 +670,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) zend_long post_max_size = REQUEST_PARSE_BODY_OPTION_GET(post_max_size, SG(post_max_size)); zend_long max_input_vars = REQUEST_PARSE_BODY_OPTION_GET(max_input_vars, PG(max_input_vars)); zend_long upload_max_filesize = REQUEST_PARSE_BODY_OPTION_GET(upload_max_filesize, PG(upload_max_filesize)); + char *multipart_uri_whitelist = SG(multipart_uri_whitelist); const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(); php_rfc1867_getword_t getword; php_rfc1867_getword_conf_t getword_conf; @@ -694,6 +695,24 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) _basename = php_ap_basename; } + if(multipart_uri_whitelist != NULL) { + char *uri = strtok(multipart_uri_whitelist, ":"); + bool find = 0; + + while (uri) + { + if(strcasecmp(SG(request_info).request_uri, uri) == 0) { + find = 1; + break; + } + uri = strtok(NULL, ":"); + } + if(!find) { + EMIT_WARNING_OR_ERROR("request uri %s is not allow POST multipart body", SG(request_info).request_uri); + return; + } + } + if (post_max_size > 0 && SG(request_info).content_length > post_max_size) { EMIT_WARNING_OR_ERROR("POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, post_max_size); return; From e2af49b3023282d0db4f796ab805e3a978c05c2c Mon Sep 17 00:00:00 2001 From: Xiao Chopins Date: Fri, 6 Feb 2026 16:19:14 +0800 Subject: [PATCH 2/2] add allow_multipart_form INI option --- main/SAPI.c | 4 ++++ main/SAPI.h | 2 +- main/main.c | 2 +- main/rfc1867.c | 21 ++++----------------- 4 files changed, 10 insertions(+), 19 deletions(-) diff --git a/main/SAPI.c b/main/SAPI.c index 6709d467e34fe..96f25d62ebd0e 100644 --- a/main/SAPI.c +++ b/main/SAPI.c @@ -199,6 +199,10 @@ SAPI_API void sapi_read_post_data(void) /* now try to find an appropriate POST content handler */ if ((post_entry = zend_hash_str_find_ptr(&SG(known_post_content_types), content_type, content_type_length)) != NULL) { + if(!SG(allow_multipart_form) && !strcmp(content_type, MULTIPART_CONTENT_TYPE)) { + efree(content_type); + return; + } /* found one, register it for use */ SG(request_info).post_entry = post_entry; post_reader_func = post_entry->post_reader; diff --git a/main/SAPI.h b/main/SAPI.h index 22c3adb78ba42..a88f1cd4e2f76 100644 --- a/main/SAPI.h +++ b/main/SAPI.h @@ -141,7 +141,7 @@ typedef struct _sapi_globals_struct { char *default_charset; HashTable *rfc1867_uploaded_files; zend_long post_max_size; - char *multipart_uri_whitelist; + bool allow_multipart_form; int options; bool sapi_started; double global_request_time; diff --git a/main/main.c b/main/main.c index 6d9ce4c65a511..2966ba8489fdf 100644 --- a/main/main.c +++ b/main/main.c @@ -878,7 +878,7 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) - STD_PHP_INI_ENTRY("multipart_uri_whitelist", NULL, PHP_INI_PERDIR, OnUpdateString, multipart_uri_whitelist, sapi_globals_struct, sapi_globals) + STD_PHP_INI_ENTRY("allow_multipart_form", "1", PHP_INI_ALL, OnUpdateBool, allow_multipart_form, sapi_globals_struct, sapi_globals) STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) diff --git a/main/rfc1867.c b/main/rfc1867.c index b803ad7648c5b..db07f1f3aa96e 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -670,7 +670,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) zend_long post_max_size = REQUEST_PARSE_BODY_OPTION_GET(post_max_size, SG(post_max_size)); zend_long max_input_vars = REQUEST_PARSE_BODY_OPTION_GET(max_input_vars, PG(max_input_vars)); zend_long upload_max_filesize = REQUEST_PARSE_BODY_OPTION_GET(upload_max_filesize, PG(upload_max_filesize)); - char *multipart_uri_whitelist = SG(multipart_uri_whitelist); + bool allow_multipart_form = SG(allow_multipart_form); const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(); php_rfc1867_getword_t getword; php_rfc1867_getword_conf_t getword_conf; @@ -695,22 +695,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) _basename = php_ap_basename; } - if(multipart_uri_whitelist != NULL) { - char *uri = strtok(multipart_uri_whitelist, ":"); - bool find = 0; - - while (uri) - { - if(strcasecmp(SG(request_info).request_uri, uri) == 0) { - find = 1; - break; - } - uri = strtok(NULL, ":"); - } - if(!find) { - EMIT_WARNING_OR_ERROR("request uri %s is not allow POST multipart body", SG(request_info).request_uri); - return; - } + if(!allow_multipart_form) { + EMIT_WARNING_OR_ERROR("request uri %s is not allow POST multipart body", SG(request_info).request_uri); + return; } if (post_max_size > 0 && SG(request_info).content_length > post_max_size) {