Comments (3)
It's based off of cURL, so this would be a security hole in just about any PHP script that uses cURL to send POST data. I think an application should sanitize user data before trying to use it.
With that said, I'm not against trying to make sanitizing this data easier-- any suggestions?
from guzzle.
I wasn't aware of that, and it seems quite open for a couple exploits (very few sites sanitize strings starting with "@").
I would suggest simply leaving out that ability ('files' => array(...) isn't much more work) but since its already present in curl not following suit is a harder argument.
from guzzle.
I think Guzzle should allow users to send any file they want, and I believe it's the end-developer's responsibility to sanitize user input before sending POST requests.
You've raised a good point though. I've added a note about sanitizing user input in the documentation: http://guzzlephp.org/tour/http.html#post
from guzzle.
Related Issues (20)
- Abandoned php-http/message-factory package is used HOT 10
- QueryString constructor for Url.php is invalid HOT 2
- Never cache thru disk implicitly HOT 2
- [Error] Class 'GuzzleHttp\Exception\ConnectException' not found HOT 1
- High memory usage when consistently using new HTTP client instances for each request HOT 3
- The no proxy request option does not avoid falling back to proxies set in ENV vars HOT 2
- Maximum execution time of 30 seconds exceeded HOT 2
- upgradin to PHP 8 and Guzzle 7. Breaks app HOT 1
- Remove content-type header when a redirect to GET: cURL does and Guzzle doesn't HOT 3
- Host Header HOT 5
- PHP Fatal Error when retrieving certain pages. HOT 4
- Pool promise wait() breaks with guzzlehttp/promises v2 HOT 9
- Intermittent 501 Not Implemented Error Due to Unexpected 'offsetGet' Method in Guzzle Requests HOT 4
- Using `"stream" => true` in options makes PSR7 responses read-once HOT 3
- [DOCS] In online documentation, the request option connect_timeout still says that the default value of 0 waits indefinitely, which was never true HOT 1
- No exception gets thrown on responses with status code >= 400 HOT 1
- http://www.guzzlephp.org displays Indonesian gambling site advert HOT 2
- Organization Information HOT 1
- Can GuzzleHttp be used to listen to a specific event to obtain request body data? HOT 3
- Unable to parse URI in Ipv6 HOT 14
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from guzzle.