Fix phpGH-16802: open_basedir bypass using curl extension

nielsdos · nielsdos · commit 179ca2bf2a71 · 2024-11-15T21:17:36.000+01:00
And fix a memleak while here. Closes phpGH-16804.
diff --git a/NEWS b/NEWS
@@ -12,6 +12,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
     (nielsdos)
 
+- Curl:
+  . Fixed bug GH-16802 (open_basedir bypass using curl extension). (nielsdos)
+
 - FPM:
   . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
 
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
@@ -1976,7 +1976,10 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 			zend_string *str = zval_get_tmp_string(zvalue, &tmp_str);
 #if LIBCURL_VERSION_NUM >= 0x075500 /* Available since 7.85.0 */
 			if ((option == CURLOPT_PROTOCOLS_STR || option == CURLOPT_REDIR_PROTOCOLS_STR) &&
-				(PG(open_basedir) && *PG(open_basedir)) && php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL) {
+				(PG(open_basedir) && *PG(open_basedir))
+					&& (php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL
+					 || php_memnistr(ZSTR_VAL(str), "all", sizeof("all") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL)) {
+					zend_tmp_string_release(tmp_str);
 					php_error_docref(NULL, E_WARNING, "The FILE protocol cannot be activated when an open_basedir is set");
 					return FAILURE;
 			}
diff --git a/ext/curl/tests/gh16802.phpt b/ext/curl/tests/gh16802.phpt
@@ -0,0 +1,31 @@
+--TEST--
+GH-16802 (open_basedir bypass using curl extension)
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+$curl_version = curl_version();
+if ($curl_version['version_number'] < 0x075500) {
+    die("skip: blob options not supported for curl < 7.85.0");
+}
+?>
+--INI--
+open_basedir=/nowhere
+--FILE--
+<?php
+$ch = curl_init("file:///etc/passwd");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "ftp,all");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,ftp");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,file,ftp");
+var_dump(curl_exec($ch));
+?>
+--EXPECTF--
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+bool(false)
