From: Ilia Alshanetsky <iliaa@php.net>
Date: Sun, 21 May 2006 16:32:51 +0000 (+0000)
Subject: MFH: Added control character checks for cURL extension's
X-Git-Tag: php-4.4.3RC1~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ed53169150e5bddbf998e6e160985ad1d6226c37;p=php

MFH: Added control character checks for cURL extension's
open_basedir/safe_mode checks.
---

diff --git a/NEWS b/NEWS
index 2ee7e5de68..027ee411e7 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, Version 4.4.3
+- Added control character checks for cURL extension's open_basedir/safe_mode
+  checks. (Ilia)
 - Fixed a possible buffer overflow inside create_named_pipe() for Win32 systems
   in libmysql.c. (Ilia)
 - Updated PCRE to version 6.6. (Andrei)
diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index 931aafaeb4..2f73da2213 100644
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -162,11 +162,16 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
 	    strncasecmp(str, "file:", sizeof("file:") - 1) == 0)								\
 	{ 																							\
 		php_url *tmp_url; 																		\
-																								\
+															\
 		if (!(tmp_url = php_url_parse_ex(str, len))) {											\
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str);				\
 			RETURN_FALSE; 																		\
 		} 																						\
+															\
+		if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) {				\
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Url '%s' contains unencoded control characters.", str);	\
+			RETURN_FALSE;											\
+		}													\
 																								\
 		if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || 									\
 			(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))	\