Hi everyone,

Just want to add more context here: today PHP doesn't offer any good option
to prevent SSRF that points to localhost.
The options are tricky and error prone: that's exactly the use case of
the CURLOPT_OPENSOCKETFUNCTION callback, that was added to curl in 2007.
So, I'm not sure what the next step is, I remain available to iterate if
needed ; I would love to see this released before the feature freeze.

Have a nice day,

Xavier


Le lun. 15 juin 2026 à 15:20, Xavier Leune <[email protected]>
a écrit :

> Hi internals,
>
> PR #22159 adds three libcurl callback options to ext/curl for 8.6:
>
>   - CURLOPT_SOCKOPTFUNCTION
>   - CURLOPT_OPENSOCKETFUNCTION
>   - CURLOPT_CLOSESOCKETFUNCTION
>
> https://github.com/php/php-src/pull/22159
>
> Motivation: give PHP users a native way to do SSRF filtering (validate the
> resolved peer IP before connect) and low-level socket tuning
> (SO_BINDTODEVICE, SO_MARK, keepalive, TCP_NODELAY...) without dropping to
> ext/ffi.
>
> Because the C signatures use a raw curl_socket_t fd, the callbacks bridge
> to ext/sockets and exchange real Socket objects, fully usable with
> socket_set_option(), socket_close(), etc.
>
> Thanks to @devnexen who helped me to improve the dependencies management
> and the low level integration.
> CI is fully green (Linux, macOS, FreeBSD, Windows, ASAN).
>
> Feedback welcome on any matter.
>
> Thanks,
> Xavier Leune
>
>

Reply via email to