From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 19 Jun 2003 22:18:58 +0000 (+0000)
Subject: Added missing safe_mode checks
X-Git-Tag: php-4.3.3RC2~269
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=316d124ec46cf14621555a595fb8a0476790a689;p=php

Added missing safe_mode checks
---

diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index ed12a6a3c5..a76057432c 100644
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -729,20 +729,16 @@ PHP_FUNCTION(curl_setopt)
 		case CURLOPT_USERAGENT:
 		case CURLOPT_FTPPORT:
 		case CURLOPT_COOKIE:
-		case CURLOPT_COOKIEFILE:
 		case CURLOPT_REFERER:
 		case CURLOPT_INTERFACE:
 		case CURLOPT_KRB4LEVEL: 
-		case CURLOPT_RANDOM_FILE:
 		case CURLOPT_EGDSOCKET:
 		case CURLOPT_CAINFO: 
 		case CURLOPT_CAPATH:
-		case CURLOPT_COOKIEJAR:
 		case CURLOPT_SSL_CIPHER_LIST: 
 		case CURLOPT_SSLKEY:
-		case CURLOPT_SSLCERT:
 		case CURLOPT_SSLKEYTYPE: 
-		case CURLOPT_SSLKEYPASSWD: 
+		case CURLOPT_SSLKEYPASSWD:
 		case CURLOPT_SSLENGINE: 
 #ifdef CURLOPT_ENCODING
 		case CURLOPT_ENCODING: 
@@ -954,6 +950,28 @@ PHP_FUNCTION(curl_setopt)
 
 			error = curl_easy_setopt(ch->cp, option, slist);
 
+			break;
+		}
+		/* the following options deal with files, therefor safe_mode & open_basedir checks
+		 * are required.
+		 */
+		case CURLOPT_COOKIEJAR:
+		case CURLOPT_SSLCERT:
+		case CURLOPT_RANDOM_FILE:
+		case CURLOPT_COOKIEFILE: {
+			char *copystr = NULL;
+
+			convert_to_string_ex(zvalue);
+
+			if (php_check_open_basedir(Z_STRVAL_PP(zvalue) TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(zvalue), "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+				RETURN_FALSE;			
+			}
+
+			copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
+
+			error = curl_easy_setopt(ch->cp, option, copystr);
+			zend_llist_add_element(&ch->to_free.str, &copystr);
+
 			break;
 		}
 	}