From ab0939e5e5449cba04b02fff3a5595f725bce0a0 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 28 Sep 2014 17:53:49 -0700 Subject: [PATCH] Fix bug #68089 - do not accept options with embedded \0 Conflicts: ext/curl/interface.c --- NEWS | 3 +++ ext/curl/interface.c | 6 ++++++ ext/curl/tests/bug68089.phpt | 18 ++++++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 ext/curl/tests/bug68089.phpt diff --git a/NEWS b/NEWS index e758f35b7b..b074f9f3cb 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,9 @@ PHP NEWS . Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669) (Stas) +- cURL: + . Fixed bug #68089 (NULL byte injection - cURL lib). (Stas) + - OpenSSL: . Reverted fixes for bug #41631, due to regressions. (Stas) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 8915625047..23b125238d 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -170,6 +170,12 @@ static int php_curl_option_url(php_curl *ch, const char *url, const int len TSRM #if LIBCURL_VERSION_NUM < 0x071100 char *copystr = NULL; #endif + + if (strlen(url) != len) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Curl option contains invalid characters (\\0)"); + return 0; + } + /* Disable file:// if open_basedir are used */ if (PG(open_basedir) && *PG(open_basedir)) { #if LIBCURL_VERSION_NUM >= 0x071304 diff --git a/ext/curl/tests/bug68089.phpt b/ext/curl/tests/bug68089.phpt new file mode 100644 index 0000000000..3bd5889709 --- /dev/null +++ b/ext/curl/tests/bug68089.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #68089 (NULL byte injection - cURL lib) +--SKIPIF-- + +--FILE-- + +Done +--EXPECTF-- +Warning: curl_setopt(): Curl option contains invalid characters (\0) in %s/bug68089.php on line 4 +bool(false) +Done -- 2.40.0