From: foobar <sniper@php.net>
Date: Mon, 14 Mar 2005 09:03:09 +0000 (+0000)
Subject: MFH: - Fixed bug #30609 (cURL functions bypass open_basedir)
X-Git-Tag: php-4.3.11RC2~25
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1be9cff9d3205decb3095327ca494784dcd80647;p=php

MFH: - Fixed bug #30609 (cURL functions bypass open_basedir)
---

diff --git a/NEWS b/NEWS
index b4c84b1928..0d7c42e8e7 100644
--- a/NEWS
+++ b/NEWS
@@ -77,6 +77,7 @@ PHP 4                                                                      NEWS
 - Fixed bug #31055 (apache2filter: per request leak proportional to the full
   path of the request URI). (kameshj at fastmail dot fm)
 - Fixed bug #30726 (-.1 like numbers are not being handled correctly). (Ilia)
+- Fixed bug #30609 (cURL functions bypass open_basedir). (Jani)
 - Fixed bug #30446 (apache2handler: virtual() includes files out of sequence)
 - Fixed bug #30430 (odbc_next_result() doesn't bind values and that results 
   in segfault). (pdan-php at esync dot org, Tony)
diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index d17bfa541a..9a2c39aacc 100644
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -50,6 +50,7 @@
 #include "ext/standard/php_smart_str.h"
 #include "ext/standard/info.h"
 #include "ext/standard/file.h"
+#include "ext/standard/url.h"
 #include "php_curl.h"
 
 static int  le_curl;
@@ -64,6 +65,26 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
 #define CAAS(s, v) add_assoc_string_ex(return_value, s, sizeof(s), (char *) v, 1);
 #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
 
+#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len)													\
+	if (PG(open_basedir) && *PG(open_basedir) &&                                                \
+	    strncasecmp(str, "file://", sizeof("file://") - 1) == 0)								\
+	{ 																							\
+		php_url *tmp_url; 																		\
+																								\
+		if (!(tmp_url = php_url_parse_ex(str, len))) {											\
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str);				\
+			RETURN_FALSE; 																		\
+		} 																						\
+																								\
+		if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || 									\
+			(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))	\
+		) { 																					\
+			php_url_free(tmp_url); 																\
+			RETURN_FALSE; 																		\
+		} 																						\
+		php_url_free(tmp_url); 																	\
+	}
+
 /* {{{ curl_functions[]
  */
 function_entry curl_functions[] = {
@@ -682,6 +703,11 @@ PHP_FUNCTION(curl_init)
 		WRONG_PARAM_COUNT;
 	}
 
+	if (argc > 0) {
+		convert_to_string_ex(url);
+		PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
+	}
+
 	alloc_curl_handle(&ch);
 
 	ch->cp = curl_easy_init();
@@ -712,7 +738,6 @@ PHP_FUNCTION(curl_init)
 
 	if (argc > 0) {
 		char *urlcopy;
-		convert_to_string_ex(url);
 
 		urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
 		curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
@@ -724,7 +749,7 @@ PHP_FUNCTION(curl_init)
 }
 /* }}} */
 
-/* {{{ proto bool curl_setopt(resource ch, string option, mixed value)
+/* {{{ proto bool curl_setopt(resource ch, int option, mixed value)
    Set an option for a CURL transfer */
 PHP_FUNCTION(curl_setopt)
 {
@@ -819,8 +844,12 @@ PHP_FUNCTION(curl_setopt)
 			char *copystr = NULL;
 	
 			convert_to_string_ex(zvalue);
-			copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
 
+			if (option == CURLOPT_URL) {
+				PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
+			}
+
+			copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
 			error = curl_easy_setopt(ch->cp, option, copystr);
 			zend_llist_add_element(&ch->to_free.str, &copystr);