Fix GH-16802: open_basedir bypass using curl extension

And fix a memleak while here.

Author: ndossche

ext/curl/interface.c

@@ -1976,7 +1976,10 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 			zend_string *str = zval_get_tmp_string(zvalue, &tmp_str);
 #if LIBCURL_VERSION_NUM >= 0x075500 /* Available since 7.85.0 */
 			if ((option == CURLOPT_PROTOCOLS_STR || option == CURLOPT_REDIR_PROTOCOLS_STR) &&
-				(PG(open_basedir) && *PG(open_basedir)) && php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL) {
+				(PG(open_basedir) && *PG(open_basedir))
+					&& (php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL
+					 || php_memnistr(ZSTR_VAL(str), "all", sizeof("all") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL)) {
+					zend_tmp_string_release(tmp_str);
 					php_error_docref(NULL, E_WARNING, "The FILE protocol cannot be activated when an open_basedir is set");
 					return FAILURE;
 			}

ext/curl/tests/gh16802.phpt

@@ -0,0 +1,28 @@
+--TEST--
+GH-16802 (open_basedir bypass using curl extension)
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+if (PHP_OS_FAMILY === "Windows") die("skip not for Windows");
+?>
+--INI--
+open_basedir=/nowhere
+--FILE--
+<?php
+$ch = curl_init("file:///etc/passwd");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "ftp,all");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,ftp");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,file,ftp");
+var_dump(curl_exec($ch));
+?>
+--EXPECTF--
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+bool(false)