Skip to content

Add 'multipart_uri_whitelist' INI option to control which URL paths are allowed to submit multipart body #21118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chopins wants to merge 32 commits into
base: master
Choose a base branch
from
Open

Add 'multipart_uri_whitelist' INI option to control which URL paths are allowed to submit multipart body #21118

chopins wants to merge 32 commits into from
+21 −0

Conversation

@chopins
Copy link
Contributor

@chopins chopins commented Feb 3, 2026

Currently, in PHP, users can upload files to the server under any circumstances, even if the PHP script does not include file upload handling.
This not only unnecessarily increases server bandwidth usage but also introduces the security risk of arbitrary file uploads to the server. like : hitcon-ctf-2018-one-line-php-challenge.
So add multipart_uri_whitelist PHP_INI_PERDIR ini option to Allow file uploads only from whitelisted paths.

chopins added 30 commits September 2, 2020 12:20
@chopins
Merge pull request #1 from php/master
e3f29b4 
sync master
@chopins
Merge pull request #2 from php/master
f97a395 
merge
@chopins
Merge pull request #3 from php/master
9850245 
sync
@chopins
Merge pull request #4 from php/master
728d914 
sync
@chopins
Merge pull request #5 from php/master
ee2ba03 
sync master
@chopins
Merge pull request #6 from php/master
ee22aa4 
sync master
@chopins
Merge pull request #7 from php/master
86e41ca 
sync master
@chopins
Merge pull request #8 from php/master
dd61db7 
sync
@chopins
Merge pull request #9 from php/master
725f0ef 
sync
@chopins
Merge pull request #10 from php/master
2032ee3 
sysnc
@chopins
Merge pull request #11 from php/master
7fa87be 
sync
@chopins
Merge pull request #12 from php/master
d4b78af 
sync
@chopins
Merge pull request #13 from php/master
e80e7c1 
sync
@chopins
Merge pull request #14 from php/master
a29017a 
mege
@chopins
Merge pull request #15 from php/master
adf3789 
sync
@chopins
Merge pull request #16 from php/master
b510ebd 
sync
@chopins
Merge pull request #17 from php/master
bda9813 
merge
@chopins
Merge pull request #18 from php/master
02d022a 
mege
@chopins
Merge pull request #19 from php/master
f8c032e 
sync
@chopins
Merge pull request #20 from php/master
2c54b72 
sync
@chopins
Merge pull request #21 from php/master
86402dc 
sync
@chopins
Merge pull request #22 from php/master
dbdff8a 
sync
@chopins
Merge branch 'php:master' into master
c44507a
@chopins
Merge pull request #23 from php/master
5f41c1b 
sync
@chopins
Merge pull request #24 from php/master
265af42 
sync master
@chopins
Merge pull request #25 from php/master
3e84b8e 
sync
@chopins
Merge branch 'php:master' into master
8d75d84
@chopins
Merge pull request #26 from php/master
45e2f63 
sync
@chopins
Merge pull request #27 from php/master
32996a4 
sync
@chopins
Merge pull request #28 from php/master
d6d7bb8 
sync
@chopins chopins requested a review from bukka as a code owner February 3, 2026 07:14
@iluuu1994
Copy link
Member

iluuu1994 commented Feb 3, 2026

Seems more like a webserver responsibility, but I'll let Jakub be the judge of that.

@chopins
Copy link
Contributor Author

chopins commented Feb 4, 2026

Seems more like a webserver responsibility, but I'll let Jakub be the judge of that.

The issue that PHP automatically saves uploaded files to temporary files should still be addressed.
Additionally, since the server cannot determine whether the php script will handle the file upload, PHP needs to make that determination.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka Awaiting requested review from bukka bukka is a code owner

Assignees

No one assigned

Labels

ABI break

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chopins @iluuu1994