- Fixed bug #30609 (cURL functions bypass open_basedir)

2024-11-24 10:24:11 +08:00 · 2005-03-14 09:02:23 +00:00 · 2005-03-14 09:02:23 +00:00 · 5718cb15a3
commit 5718cb15a3
parent 81629076f8
1 changed files with 32 additions and 3 deletions
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@ -49,6 +49,7 @@
 #include "ext/standard/php_smart_str.h"
 #include "ext/standard/info.h"
 #include "ext/standard/file.h"
+#include "ext/standard/url.h"
 #include "php_curl.h"

 static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
@ -60,6 +61,26 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
 #define CAAS(s, v) add_assoc_string_ex(return_value, s, sizeof(s), (char *) v, 1);
 #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);

+#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len)													\
+	if (PG(open_basedir) && *PG(open_basedir) &&                                                \
+	    strncasecmp(str, "file://", sizeof("file://") - 1) == 0)								\
+	{ 																							\
+		php_url *tmp_url; 																		\
+																								\
+		if (!(tmp_url = php_url_parse_ex(str, len))) {											\
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str);				\
+			RETURN_FALSE; 																		\
+		} 																						\
+																								\
+		if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || 									\
+			(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))	\
+		) { 																					\
+			php_url_free(tmp_url); 																\
+			RETURN_FALSE; 																		\
+		} 																						\
+		php_url_free(tmp_url); 																	\
+	}
+
 /* {{{ curl_functions[]
 */
 function_entry curl_functions[] = {
@ -779,6 +800,11 @@ PHP_FUNCTION(curl_init)
 		WRONG_PARAM_COUNT;
 	}

+	if (argc > 0) {
+		convert_to_string_ex(url);
+		PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
+	}
+
 	cp = curl_easy_init();
 	if (!cp) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not initialize a new cURL handle");
@ -815,7 +841,6 @@ PHP_FUNCTION(curl_init)

 	if (argc > 0) {
 		char *urlcopy;
-		convert_to_string_ex(url);

 		urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
 		curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
@ -861,7 +886,7 @@ PHP_FUNCTION(curl_copy_handle)
 }
 /* }}} */

-/* {{{ proto bool curl_setopt(resource ch, string option, mixed value)
+/* {{{ proto bool curl_setopt(resource ch, int option, mixed value)
   Set an option for a CURL transfer */
 PHP_FUNCTION(curl_setopt)
 {
@ -966,8 +991,12 @@ PHP_FUNCTION(curl_setopt)
 			char *copystr = NULL;
 	
 			convert_to_string_ex(zvalue);
-			copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));

+			if (option == CURLOPT_URL) {
+				PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
+			}
+
+			copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
 			error = curl_easy_setopt(ch->cp, option, copystr);
 			zend_llist_add_element(&ch->to_free.str, &copystr);