mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-23 09:54:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-16802: open_basedir bypass using curl extension

Browse Source 
And fix a memleak while here.

Closes GH-16804.
This commit is contained in:
Niels Dossche 2024-11-14 22:30:05 +01:00
parent ed59c00661
commit 179ca2bf2a
No known key found for this signature in database
GPG Key ID: B8A8AD166DF0E2E5
3 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -12,6 +12,9 @@ PHP NEWS
. Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
(nielsdos)
- Curl:
. Fixed bug GH-16802 (open_basedir bypass using curl extension). (nielsdos)
- FPM:
. Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)

5
ext/curl/interface.c
View File

@ -1976,7 +1976,10 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
zend_string *str = zval_get_tmp_string(zvalue, &tmp_str);
#if LIBCURL_VERSION_NUM >= 0x075500 /* Available since 7.85.0 */
if ((option == CURLOPT_PROTOCOLS_STR || option == CURLOPT_REDIR_PROTOCOLS_STR) &&
(PG(open_basedir) && *PG(open_basedir)) && php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL) {
(PG(open_basedir) && *PG(open_basedir))
&& (php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL
|| php_memnistr(ZSTR_VAL(str), "all", sizeof("all") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL)) {
zend_tmp_string_release(tmp_str);
php_error_docref(NULL, E_WARNING, "The FILE protocol cannot be activated when an open_basedir is set");
return FAILURE;
}

31
ext/curl/tests/gh16802.phpt Normal file
View File

@ -0,0 +1,31 @@
--TEST--
GH-16802 (open_basedir bypass using curl extension)
--EXTENSIONS--
curl
--SKIPIF--
<?php
$curl_version = curl_version();
if ($curl_version['version_number'] < 0x075500) {
die("skip: blob options not supported for curl < 7.85.0");
}
?>
--INI--
open_basedir=/nowhere
--FILE--
<?php
$ch = curl_init("file:///etc/passwd");
curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all");
curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "ftp,all");
curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,ftp");
curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,file,ftp");
var_dump(curl_exec($ch));
?>
--EXPECTF--
Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
bool(false)