Skip to content

Fix GH-16802: open_basedir bypass using curl extension #16804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Fix GH-16802: open_basedir bypass using curl extension #16804

wants to merge 3 commits into from

Conversation

nielsdos
Copy link
Member

And fix a memleak while here.

@nielsdos nielsdos requested a review from adoy as a code owner November 14, 2024 21:29
@nielsdos nielsdos linked an issue Nov 14, 2024 that may be closed by this pull request
open_basedir bypass using curl extension #16802
Closed
iluuu1994
iluuu1994 approved these changes Nov 15, 2024
View reviewed changes
Copy link
Member

@iluuu1994 iluuu1994 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

cmb69
cmb69 reviewed Nov 15, 2024
View reviewed changes
ext/curl/tests/gh16802.phpt Outdated
curl
--SKIPIF--
<?php
if (PHP_OS_FAMILY === "Windows") die("skip not for Windows");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not? The test passes for me (checked master only, though).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the file paths are Linux file paths. It passes because the check prevents the access anyway, but I didn't want to deal with Windows and check what happens if the patch is not applied. I can remove this check if you want.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without the patch, only the fourth curl_setopt() would trigger a warning, and curl_exec() would return false (with CURLOPT_VERBOSE "Protocol "file" disabled" is reported). So the actual file:// URI wouldn't matter. Doing curl_exec() after each curl_setopt() would only fail due to "Couldn't open file /etc/passwd" for the first exec; the three following curl_exec() would fail due to "Protocol "file" disabled" (still without the patch).

Anyhow, since the open_basedir value doesn't matter, we could use "file://" . str_replace("\\", "/", __FILE__) instead of file://etc/passwd, but it seems to me checking for the warnings is good enough. Even the curl_exec() is not really relevant.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even the curl_exec() is not really relevant.

Yes it is, because we want to check that the path is actually blocked, e.g. it could be broken in a way that warns but still allows the path.

Anyway I'll just drop the Windows skipif

@nielsdos nielsdos closed this in 179ca2b Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmb69 cmb69 cmb69 left review comments

@iluuu1994 iluuu1994 iluuu1994 approved these changes

@adoy adoy Awaiting requested review from adoy adoy is a code owner

Assignees

No one assigned

Labels

Extension: curl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

open_basedir bypass using curl extension

3 participants

@nielsdos @iluuu1994 @cmb69