From 181a7d25fc00250fd971444f6e727f2eb4838d5d Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 14 Nov 2024 22:30:05 +0100 Subject: [PATCH 1/3] Fix GH-16802: open_basedir bypass using curl extension And fix a memleak while here. --- ext/curl/interface.c | 5 ++++- ext/curl/tests/gh16802.phpt | 28 ++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 ext/curl/tests/gh16802.phpt diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 80cc87c2d2d3c..f22ad7a978844 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1976,7 +1976,10 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue zend_string *str = zval_get_tmp_string(zvalue, &tmp_str); #if LIBCURL_VERSION_NUM >= 0x075500 /* Available since 7.85.0 */ if ((option == CURLOPT_PROTOCOLS_STR || option == CURLOPT_REDIR_PROTOCOLS_STR) && - (PG(open_basedir) && *PG(open_basedir)) && php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL) { + (PG(open_basedir) && *PG(open_basedir)) + && (php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL + || php_memnistr(ZSTR_VAL(str), "all", sizeof("all") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL)) { + zend_tmp_string_release(tmp_str); php_error_docref(NULL, E_WARNING, "The FILE protocol cannot be activated when an open_basedir is set"); return FAILURE; } diff --git a/ext/curl/tests/gh16802.phpt b/ext/curl/tests/gh16802.phpt new file mode 100644 index 0000000000000..abee0529eaf84 --- /dev/null +++ b/ext/curl/tests/gh16802.phpt @@ -0,0 +1,28 @@ +--TEST-- +GH-16802 (open_basedir bypass using curl extension) +--EXTENSIONS-- +curl +--SKIPIF-- + +--INI-- +open_basedir=/nowhere +--FILE-- + +--EXPECTF-- +Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d + +Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d + +Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d + +Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d +bool(false) From a00bb86af56451f4df105a725de13a63c491f02b Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 14 Nov 2024 23:27:06 +0100 Subject: [PATCH 2/3] ver check --- ext/curl/tests/gh16802.phpt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ext/curl/tests/gh16802.phpt b/ext/curl/tests/gh16802.phpt index abee0529eaf84..068d563ce8720 100644 --- a/ext/curl/tests/gh16802.phpt +++ b/ext/curl/tests/gh16802.phpt @@ -5,6 +5,10 @@ curl --SKIPIF-- --INI-- open_basedir=/nowhere From 8be0265ea7b8f08725e4fda533f63d506d9438c6 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 15 Nov 2024 20:24:35 +0100 Subject: [PATCH 3/3] Don't skip win --- ext/curl/tests/gh16802.phpt | 1 - 1 file changed, 1 deletion(-) diff --git a/ext/curl/tests/gh16802.phpt b/ext/curl/tests/gh16802.phpt index 068d563ce8720..0fb3d4dedb170 100644 --- a/ext/curl/tests/gh16802.phpt +++ b/ext/curl/tests/gh16802.phpt @@ -4,7 +4,6 @@ GH-16802 (open_basedir bypass using curl extension) curl --SKIPIF--