Allow CURLOPT_FOLLOWLOCATION to be used with open_basedir.

Newer versions of libcurl prevent file:// location response headers by default,
which means that the open_basedir check is unnecessary — the fact
CURLOPT_REDIR_PROTOCOLS can't set CURLPROTO_FILE with open_basedir enabled
means that there's no possibility of breaching the open_basedir restriction,
and this allows HTTP redirects to be followed automatically.

Implements FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or
safe_mode).

diff --git a/NEWS b/NEWS
index 29b5c9c0d0b5741cbf59ef9420b6fcda3d01a16a..bc3912602b4dcb112d72dcc7432e41a2787e3574 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,10 @@ PHP                                                                        NEWS
     of E_STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).
        (Gustavo)
 
+- cURL:
+  . Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir
+    or safe_mode). (Adam)
+
 - Session:
   . Fixed Bug #65315 (session.hash_function silently fallback to default md5)
     (Yasuo)

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index ac872dfbc2ca91927b55666e2a328e7f40f0ebba..591315973ce20e9c7fe89bda88a978f040548545 100644 (file)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -2504,6 +2504,7 @@ string_copy:
 
                case CURLOPT_FOLLOWLOCATION:
                        convert_to_long_ex(zvalue);
+#if LIBCURL_VERSION_NUM < 0x071304
                        if (PG(open_basedir) && *PG(open_basedir)) {
                                if (Z_LVAL_PP(zvalue) != 0) {
                                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when an open_basedir is set");
@@ -2511,6 +2512,7 @@ string_copy:
                                        return 1;
                                }
                        }
+#endif
                        error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
                        break;
 

diff --git a/ext/curl/tests/bug65646.phpt b/ext/curl/tests/bug65646.phpt
new file mode 100644 (file)
index 0000000..f244f72
--- /dev/null
+++ b/ext/curl/tests/bug65646.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode): open_basedir disabled
+--SKIPIF--
+<?php
+if (!extension_loaded('curl')) exit("skip curl extension not loaded");
+if (ini_get('open_basedir')) exit("skip open_basedir is set");
+?>
+--FILE--
+<?php
+$ch = curl_init();
+var_dump(curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true));
+curl_close($ch);
+?>
+--EXPECT--
+bool(true)

diff --git a/ext/curl/tests/bug65646_open_basedir_new.phpt b/ext/curl/tests/bug65646_open_basedir_new.phpt
new file mode 100644 (file)
index 0000000..991c4a2
--- /dev/null
+++ b/ext/curl/tests/bug65646_open_basedir_new.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode): open_basedir enabled; curl >= 7.19.4
+--INI--
+open_basedir=.
+--SKIPIF--
+<?php
+if (!extension_loaded('curl')) exit("skip curl extension not loaded");
+if (version_compare(curl_version()['version'], '7.19.4', '<')) exit("skip curl version is too old");
+?>
+--FILE--
+<?php
+$ch = curl_init();
+var_dump(curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true));
+var_dump(curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_FILE));
+var_dump(curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_FILE));
+curl_close($ch);
+?>
+--EXPECTF--
+bool(true)
+
+Warning: curl_setopt(): CURLPROTO_FILE cannot be activated when an open_basedir is set in %s on line %d
+bool(false)
+
+Warning: curl_setopt(): CURLPROTO_FILE cannot be activated when an open_basedir is set in %s on line %d
+bool(false)

diff --git a/ext/curl/tests/bug65646_open_basedir_old.phpt b/ext/curl/tests/bug65646_open_basedir_old.phpt
new file mode 100644 (file)
index 0000000..cf11d21
--- /dev/null
+++ b/ext/curl/tests/bug65646_open_basedir_old.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode): open_basedir enabled; curl < 7.19.4
+--INI--
+open_basedir=.
+--SKIPIF--
+<?php
+if (!extension_loaded('curl')) exit("skip curl extension not loaded");
+if (version_compare(curl_version()['version'], '7.19.4', '>=')) exit("skip curl version is too new");
+?>
+--FILE--
+<?php
+$ch = curl_init();
+var_dump(curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true));
+curl_close($ch);
+?>
+--EXPECTF--
+Warning: curl_setopt(): CURLOPT_FOLLOWLOCATION cannot be activated when an open_basedir is set in %s on line %d
+bool(false)

diff --git a/ext/curl/tests/curl_setopt_CURLOPT_FOLLOWLOCATION_open_basedir.phpt b/ext/curl/tests/curl_setopt_CURLOPT_FOLLOWLOCATION_open_basedir.phpt
deleted file mode 100644 (file)
index 7a778f3..0000000
--- a/ext/curl/tests/curl_setopt_CURLOPT_FOLLOWLOCATION_open_basedir.phpt
+++ /dev/null
@@ -1,22 +0,0 @@
---TEST--
-CURLOPT_FOLLOWLOCATION case check open_basedir
---CREDITS--
-WHITE new media architects - Dennis
---INI--
-open_basedir = DIRECTORY_SEPARATOR."tmp";
---SKIPIF--
-<?php
-if (!extension_loaded("curl")) print "skip cURL not loaded";
-?>
---FILE--
-<?php
-print (ini_get("OPEN_BASEDIR"));
-$ch = curl_init();
-$succes = curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
-curl_close($ch);
-var_dump($succes);
-?>
---EXPECTF--
-Warning: curl_setopt(): CURLOPT_FOLLOWLOCATION cannot be activated when an open_basedir is set in %s.php on line %d
-bool(false)
-