MFH: - Fixed bug #30609 (cURL functions bypass open_basedir)

diff --git a/NEWS b/NEWS
index b4c84b192890dbee75fef3845890336f6f811a12..0d7c42e8e7f4c2766852a898cd09120603cbb24b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -77,6 +77,7 @@ PHP 4                                                                      NEWS
 - Fixed bug #31055 (apache2filter: per request leak proportional to the full
   path of the request URI). (kameshj at fastmail dot fm)
 - Fixed bug #30726 (-.1 like numbers are not being handled correctly). (Ilia)
+- Fixed bug #30609 (cURL functions bypass open_basedir). (Jani)
 - Fixed bug #30446 (apache2handler: virtual() includes files out of sequence)
 - Fixed bug #30430 (odbc_next_result() doesn't bind values and that results 
   in segfault). (pdan-php at esync dot org, Tony)

diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index d17bfa541a169413460a174b10154bbd0c9fecd0..9a2c39aacc711884cb01f781295e899625bece8a 100644 (file)
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -50,6 +50,7 @@
 #include "ext/standard/php_smart_str.h"
 #include "ext/standard/info.h"
 #include "ext/standard/file.h"
+#include "ext/standard/url.h"
 #include "php_curl.h"
 
 static int  le_curl;
@@ -64,6 +65,26 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
 #define CAAS(s, v) add_assoc_string_ex(return_value, s, sizeof(s), (char *) v, 1);
 #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
 
+#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len)                                                                                                  \
+       if (PG(open_basedir) && *PG(open_basedir) &&                                                \
+           strncasecmp(str, "file://", sizeof("file://") - 1) == 0)                                                            \
+       {                                                                                                                                                                                       \
+               php_url *tmp_url;                                                                                                                                               \
+                                                                                                                                                                                               \
+               if (!(tmp_url = php_url_parse_ex(str, len))) {                                                                                  \
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str);                           \
+                       RETURN_FALSE;                                                                                                                                           \
+               }                                                                                                                                                                               \
+                                                                                                                                                                                               \
+               if (php_check_open_basedir(tmp_url->path TSRMLS_CC) ||                                                                  \
+                       (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))       \
+               ) {                                                                                                                                                                     \
+                       php_url_free(tmp_url);                                                                                                                          \
+                       RETURN_FALSE;                                                                                                                                           \
+               }                                                                                                                                                                               \
+               php_url_free(tmp_url);                                                                                                                                  \
+       }
+
 /* {{{ curl_functions[]
  */
 function_entry curl_functions[] = {
@@ -682,6 +703,11 @@ PHP_FUNCTION(curl_init)
                WRONG_PARAM_COUNT;
        }
 
+       if (argc > 0) {
+               convert_to_string_ex(url);
+               PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
+       }
+
        alloc_curl_handle(&ch);
 
        ch->cp = curl_easy_init();
@@ -712,7 +738,6 @@ PHP_FUNCTION(curl_init)
 
        if (argc > 0) {
                char *urlcopy;
-               convert_to_string_ex(url);
 
                urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
                curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
@@ -724,7 +749,7 @@ PHP_FUNCTION(curl_init)
 }
 /* }}} */
 
-/* {{{ proto bool curl_setopt(resource ch, string option, mixed value)
+/* {{{ proto bool curl_setopt(resource ch, int option, mixed value)
    Set an option for a CURL transfer */
 PHP_FUNCTION(curl_setopt)
 {
@@ -819,8 +844,12 @@ PHP_FUNCTION(curl_setopt)
                        char *copystr = NULL;
        
                        convert_to_string_ex(zvalue);
-                       copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
 
+                       if (option == CURLOPT_URL) {
+                               PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
+                       }
+
+                       copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
                        error = curl_easy_setopt(ch->cp, option, copystr);
                        zend_llist_add_element(&ch->to_free.str, &copystr);