Hi everyone, Just want to add more context here: today PHP doesn't offer any good option to prevent SSRF that points to localhost. The options are tricky and error prone: that's exactly the use case of the CURLOPT_OPENSOCKETFUNCTION callback, that was added to curl in 2007. So, I'm not sure what the next step is, I remain available to iterate if needed ; I would love to see this released before the feature freeze.
Have a nice day, Xavier Le lun. 15 juin 2026 à 15:20, Xavier Leune <[email protected]> a écrit : > Hi internals, > > PR #22159 adds three libcurl callback options to ext/curl for 8.6: > > - CURLOPT_SOCKOPTFUNCTION > - CURLOPT_OPENSOCKETFUNCTION > - CURLOPT_CLOSESOCKETFUNCTION > > https://github.com/php/php-src/pull/22159 > > Motivation: give PHP users a native way to do SSRF filtering (validate the > resolved peer IP before connect) and low-level socket tuning > (SO_BINDTODEVICE, SO_MARK, keepalive, TCP_NODELAY...) without dropping to > ext/ffi. > > Because the C signatures use a raw curl_socket_t fd, the callbacks bridge > to ext/sockets and exchange real Socket objects, fully usable with > socket_set_option(), socket_close(), etc. > > Thanks to @devnexen who helped me to improve the dependencies management > and the low level integration. > CI is fully green (Linux, macOS, FreeBSD, Windows, ASAN). > > Feedback welcome on any matter. > > Thanks, > Xavier Leune > >
