From a92fc9fb89e747c8ac43a5f9406694ae01a62ef5 Mon Sep 17 00:00:00 2001 From: Xiao Chopins Date: Tue, 3 Feb 2026 14:56:19 +0800 Subject: [PATCH] add multipart_uri_whitelist INI option --- main/SAPI.h | 1 + main/main.c | 1 + main/rfc1867.c | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+) diff --git a/main/SAPI.h b/main/SAPI.h index 9196982f54951..22c3adb78ba42 100644 --- a/main/SAPI.h +++ b/main/SAPI.h @@ -141,6 +141,7 @@ typedef struct _sapi_globals_struct { char *default_charset; HashTable *rfc1867_uploaded_files; zend_long post_max_size; + char *multipart_uri_whitelist; int options; bool sapi_started; double global_request_time; diff --git a/main/main.c b/main/main.c index 446ac0fcb7970..6d9ce4c65a511 100644 --- a/main/main.c +++ b/main/main.c @@ -878,6 +878,7 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) + STD_PHP_INI_ENTRY("multipart_uri_whitelist", NULL, PHP_INI_PERDIR, OnUpdateString, multipart_uri_whitelist, sapi_globals_struct, sapi_globals) STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) diff --git a/main/rfc1867.c b/main/rfc1867.c index f6ffb6fabc7f1..b803ad7648c5b 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -670,6 +670,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) zend_long post_max_size = REQUEST_PARSE_BODY_OPTION_GET(post_max_size, SG(post_max_size)); zend_long max_input_vars = REQUEST_PARSE_BODY_OPTION_GET(max_input_vars, PG(max_input_vars)); zend_long upload_max_filesize = REQUEST_PARSE_BODY_OPTION_GET(upload_max_filesize, PG(upload_max_filesize)); + char *multipart_uri_whitelist = SG(multipart_uri_whitelist); const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(); php_rfc1867_getword_t getword; php_rfc1867_getword_conf_t getword_conf; @@ -694,6 +695,24 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) _basename = php_ap_basename; } + if(multipart_uri_whitelist != NULL) { + char *uri = strtok(multipart_uri_whitelist, ":"); + bool find = 0; + + while (uri) + { + if(strcasecmp(SG(request_info).request_uri, uri) == 0) { + find = 1; + break; + } + uri = strtok(NULL, ":"); + } + if(!find) { + EMIT_WARNING_OR_ERROR("request uri %s is not allow POST multipart body", SG(request_info).request_uri); + return; + } + } + if (post_max_size > 0 && SG(request_info).content_length > post_max_size) { EMIT_WARNING_OR_ERROR("POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, post_max_size); return;