mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-23 01:44:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.4'

Browse Source 
* PHP-8.4:
  Fix GH-16802: open_basedir bypass using curl extension
This commit is contained in:
Niels Dossche 2024-11-15 21:17:56 +01:00
commit 2c532cf02b
No known key found for this signature in database
GPG Key ID: B8A8AD166DF0E2E5
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ext/curl/interface.c
View File

@ -1936,7 +1936,10 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
zend_string *str = zval_get_tmp_string(zvalue, &tmp_str);
#if LIBCURL_VERSION_NUM >= 0x075500 /* Available since 7.85.0 */
if ((option == CURLOPT_PROTOCOLS_STR || option == CURLOPT_REDIR_PROTOCOLS_STR) &&
(PG(open_basedir) && *PG(open_basedir)) && php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL) {
(PG(open_basedir) && *PG(open_basedir))
&& (php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL
|| php_memnistr(ZSTR_VAL(str), "all", sizeof("all") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL)) {
zend_tmp_string_release(tmp_str);
php_error_docref(NULL, E_WARNING, "The FILE protocol cannot be activated when an open_basedir is set");
return FAILURE;
}

31
ext/curl/tests/gh16802.phpt Normal file
View File

@ -0,0 +1,31 @@
--TEST--
GH-16802 (open_basedir bypass using curl extension)
--EXTENSIONS--
curl
--SKIPIF--
<?php
$curl_version = curl_version();
if ($curl_version['version_number'] < 0x075500) {
die("skip: blob options not supported for curl < 7.85.0");
}
?>
--INI--
open_basedir=/nowhere
--FILE--
<?php
$ch = curl_init("file:///etc/passwd");
curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all");
curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "ftp,all");
curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,ftp");
curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,file,ftp");
var_dump(curl_exec($ch));
?>
--EXPECTF--
Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
bool(false)