Fix bug #68089 - do not accept options with embedded \0

Conflicts:
	ext/curl/interface.c

diff --git a/NEWS b/NEWS
index e758f35b7baf2cabdc33b60748e7b7ff08b55eee..b074f9f3cb07cc38a2e1c201f702bcbdff113f35 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,9 @@ PHP                                                                        NEWS
   . Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). 
     (CVE-2014-3669) (Stas)
 
+- cURL:
+  . Fixed bug #68089 (NULL byte injection - cURL lib). (Stas)
+
 - OpenSSL:
   . Reverted fixes for bug #41631, due to regressions. (Stas) 
 

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 8915625047c16fad6a426047e91f12932a664f02..23b125238d3ff059cf2bfd5f495c0506c07a7f61 100644 (file)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -170,6 +170,12 @@ static int php_curl_option_url(php_curl *ch, const char *url, const int len TSRM
 #if LIBCURL_VERSION_NUM < 0x071100
        char *copystr = NULL;
 #endif
+
+       if (strlen(url) != len) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Curl option contains invalid characters (\\0)");
+               return 0;
+       }
+
        /* Disable file:// if open_basedir are used */
        if (PG(open_basedir) && *PG(open_basedir)) {
 #if LIBCURL_VERSION_NUM >= 0x071304

diff --git a/ext/curl/tests/bug68089.phpt b/ext/curl/tests/bug68089.phpt
new file mode 100644 (file)
index 0000000..3bd5889
--- /dev/null
+++ b/ext/curl/tests/bug68089.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #68089 (NULL byte injection - cURL lib)
+--SKIPIF--
+<?php 
+include 'skipif.inc';
+
+?>
+--FILE--
+<?php
+$url = "file:///etc/passwd\0http://google.com";
+$ch = curl_init();
+var_dump(curl_setopt($ch, CURLOPT_URL, $url));
+?>
+Done
+--EXPECTF--
+Warning: curl_setopt(): Curl option contains invalid characters (\0) in %s/bug68089.php on line 4
+bool(false)
+Done