- Fixed bug #30609 (cURL functions bypass open_basedir)

diff --git a/NEWS b/NEWS
index 8784d367887cba4219ee91a69cfb389a5472a765..2c5abf15c8e494ec308bf43f36dc5fdff2797846 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -132,6 +132,7 @@ PHP                                                                        NEWS
 - Fixed bug #30726 (-.1 like numbers are not being handled correctly). (Ilia)
 - Fixed bug #30725 (PHP segfaults when an exception is thrown in getIterator() 
   within foreach). (Marcus)
+- Fixed bug #30609 (cURL functions bypass open_basedir). (Jani)
 - Fixed bug #30446 (apache2handler: virtual() includes files out of sequence)
 - Fixed bug #30430 (odbc_next_result() doesn't bind values and that results 
   in segfault). (pdan-php at esync dot org, Tony)

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index c9fed7cafbd2c860ef4a5f40c1142d5b3669e867..7d9b1cc9f1b509a6d1e8855bfe68443833ea9853 100644 (file)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -49,6 +49,7 @@
 #include "ext/standard/php_smart_str.h"
 #include "ext/standard/info.h"
 #include "ext/standard/file.h"
+#include "ext/standard/url.h"
 #include "php_curl.h"
 
 static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
@@ -60,6 +61,26 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
 #define CAAS(s, v) add_assoc_string_ex(return_value, s, sizeof(s), (char *) v, 1);
 #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
 
+#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len)                                                                                                  \
+       if (PG(open_basedir) && *PG(open_basedir) &&                                                \
+           strncasecmp(str, "file://", sizeof("file://") - 1) == 0)                                                            \
+       {                                                                                                                                                                                       \
+               php_url *tmp_url;                                                                                                                                               \
+                                                                                                                                                                                               \
+               if (!(tmp_url = php_url_parse_ex(str, len))) {                                                                                  \
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str);                           \
+                       RETURN_FALSE;                                                                                                                                           \
+               }                                                                                                                                                                               \
+                                                                                                                                                                                               \
+               if (php_check_open_basedir(tmp_url->path TSRMLS_CC) ||                                                                  \
+                       (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))       \
+               ) {                                                                                                                                                                     \
+                       php_url_free(tmp_url);                                                                                                                          \
+                       RETURN_FALSE;                                                                                                                                           \
+               }                                                                                                                                                                               \
+               php_url_free(tmp_url);                                                                                                                                  \
+       }
+
 /* {{{ curl_functions[]
  */
 function_entry curl_functions[] = {
@@ -773,6 +794,11 @@ PHP_FUNCTION(curl_init)
                WRONG_PARAM_COUNT;
        }
 
+       if (argc > 0) {
+               convert_to_string_ex(url);
+               PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
+       }
+
        cp = curl_easy_init();
        if (!cp) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not initialize a new cURL handle");
@@ -809,7 +835,6 @@ PHP_FUNCTION(curl_init)
 
        if (argc > 0) {
                char *urlcopy;
-               convert_to_string_ex(url);
 
                urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
                curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
@@ -855,7 +880,7 @@ PHP_FUNCTION(curl_copy_handle)
 }
 /* }}} */
 
-/* {{{ proto bool curl_setopt(resource ch, string option, mixed value)
+/* {{{ proto bool curl_setopt(resource ch, int option, mixed value)
    Set an option for a CURL transfer */
 PHP_FUNCTION(curl_setopt)
 {
@@ -956,8 +981,12 @@ PHP_FUNCTION(curl_setopt)
                        char *copystr = NULL;
        
                        convert_to_string_ex(zvalue);
-                       copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
 
+                       if (option == CURLOPT_URL) {
+                               PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
+                       }
+
+                       copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
                        error = curl_easy_setopt(ch->cp, option, copystr);
                        zend_llist_add_element(&ch->to_free.str, &copystr);