
This is an old revision of the document!

Request for Comments: Fix CURL file uploads

This RFC discusses improvement for CURL file uploading option.


Currently, cURL file uploading is done as:

curl_setopt($curl_handle, CURLOPT_POST, 1);
$args['file'] = '@/path/to/file';
curl_setopt($curl_handle, CURLOPT_POSTFIELDS, $args);

This API is both invonvenient and insecure, it is impossible to send data starting with '@' to the POST, and any user data that is being re-sent via cURL need to be sanitized so that the data value does not start with @. In general, in-bound signalling usually vulnerable to all sorts of injections and better not done in this way.

CurlFile proposal

Instead of using the above method, the following should be used to upload files with CURLOPT_POSTFIELDS:

curl_setopt($curl_handle, CURLOPT_POST, 1);
$args['file'] = new CurlFile('filename.png', 'image/png');
curl_setopt($curl_handle, CURLOPT_POSTFIELDS, $args);

The curl API will be modified to look for objects of type CurlFile and treat them as entries with @ were previously treated.

CurlFile API

Backward compatibility

In order to assure orderly transition to the use of the new API, the proposal is in 5.5 to leave the @ option working, but make it produce E_DEPRECATED error referring the user to the use of the new API. In 5.6, @ option will be switched off by default, but can still be enabled by explicit curl_setopt setting, such as:

curl_setopt($curl_handle, CURLOPT_UNSAFE_UPLOAD, 1);

In future versions, this capability may be removed completely.



  • 2013-01-06 First draft
rfc/curl-file-upload.1357447135.txt.gz · Last modified: 2017/09/22 13:28 (external edit)