pajoye Mon May 18 10:31:08 2009 UTC
Modified files: (Branch: PHP_5_3)
/php-src/ext/curl config.m4 interface.c
Log:
- MFB: - disable file:// when safe_mode or open_basedir are enabled
http://cvs.php.net/viewvc.cgi/php-src/ext/curl/config.m4?r1=1.28.2.3.2.7.2.2&r2=1.28.2.3.2.7.2.3&diff_format=u
Index: php-src/ext/curl/config.m4
diff -u php-src/ext/curl/config.m4:1.28.2.3.2.7.2.2
php-src/ext/curl/config.m4:1.28.2.3.2.7.2.3
--- php-src/ext/curl/config.m4:1.28.2.3.2.7.2.2 Sat May 2 19:53:48 2009
+++ php-src/ext/curl/config.m4 Mon May 18 10:31:08 2009
@@ -1,5 +1,5 @@
dnl
-dnl $Id: config.m4,v 1.28.2.3.2.7.2.2 2009/05/02 19:53:48 jani Exp $
+dnl $Id: config.m4,v 1.28.2.3.2.7.2.3 2009/05/18 10:31:08 pajoye Exp $
dnl
PHP_ARG_WITH(curl, for cURL support,
@@ -10,6 +10,7 @@
[ --with-curlwrappers Use cURL for url streams], no, no)
if test "$PHP_CURL" != "no"; then
+ AC_MSG_CHECKING($PHP_CURL ..........................)
if test -r $PHP_CURL/include/curl/easy.h; then
CURL_DIR=$PHP_CURL
else
http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.27.2.39&r2=1.62.2.14.2.27.2.40&diff_format=u
Index: php-src/ext/curl/interface.c
diff -u php-src/ext/curl/interface.c:1.62.2.14.2.27.2.39
php-src/ext/curl/interface.c:1.62.2.14.2.27.2.40
--- php-src/ext/curl/interface.c:1.62.2.14.2.27.2.39 Fri May 8 03:33:06 2009
+++ php-src/ext/curl/interface.c Mon May 18 10:31:08 2009
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: interface.c,v 1.62.2.14.2.27.2.39 2009/05/08 03:33:06 shire Exp $ */
+/* $Id: interface.c,v 1.62.2.14.2.27.2.40 2009/05/18 10:31:08 pajoye Exp $ */
#define ZEND_INCLUDE_FULL_WINDOWS_HEADERS
@@ -147,6 +147,7 @@
#endif
/* }}} */
+static void _php_curl_close_ex(php_curl *ch TSRMLS_DC);
static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
#define SAVE_CURL_ERROR(__handle, __err) (__handle)->err.no = (int) __err;
@@ -162,31 +163,44 @@
#define php_curl_ret(__ret) RETVAL_FALSE; return;
#endif
-#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret)
\
- if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&
\
- strncasecmp(str, "file:", sizeof("file:") - 1) == 0)
\
- {
\
- php_url *tmp_url;
\
-
\
- if (!(tmp_url = php_url_parse_ex(str, len))) {
\
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid
URL '%s'", str); \
- php_curl_ret(__ret);
\
- }
\
-
\
- if (tmp_url->host || !php_memnstr(str, tmp_url->path,
strlen(tmp_url->path), str + len)) { \
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s'
contains unencoded control characters", str); \
- php_url_free(tmp_url);
\
- php_curl_ret(__ret);
\
- }
\
-
\
- if (tmp_url->query || tmp_url->fragment ||
php_check_open_basedir(tmp_url->path TSRMLS_CC) ||
\
- (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+",
CHECKUID_CHECK_MODE_PARAM)) \
- ) {
\
- php_url_free(tmp_url);
\
- php_curl_ret(__ret);
\
- }
\
- php_url_free(tmp_url);
\
+static int php_curl_option_url(php_curl *ch, const char *url, const int len) {
+ CURLcode error=CURLE_OK;
+#if LIBCURL_VERSION_NUM < 0x071100
+ char *copystr = NULL;
+#endif
+ TSRMLS_FETCH();
+
+ /* Disable file:// if open_basedir or safe_mode are used */
+ if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+#if LIBCURL_VERSION_NUM >= 0x071304
+ error = curl_easy_setopt(ch->cp, CURLOPT_PROTOCOLS,
CURLPROTO_ALL & ~CURLPROTO_FILE);
+#else
+ php_url *uri;
+
+ if (!(uri = php_url_parse_ex(url, len))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid
URL '%s'", url);
+ return 0;
+ }
+
+ if (!strncasecmp("file", uri->scheme, sizeof("file"))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol
'file' disabled in cURL");
+ php_url_free(uri);
+ return 0;
+ }
+ php_url_free(uri);
+#endif
}
+ /* Strings passed to libcurl as 'char *' arguments, are copied by the
library... NOTE: before 7.17.0 strings were not copied. */
+#if LIBCURL_VERSION_NUM >= 0x071100
+ error = curl_easy_setopt(ch->cp, CURLOPT_URL, url);
+#else
+ copystr = estrndup(url, len);
+ error = curl_easy_setopt(ch->cp, CURLOPT_URL, copystr);
+ zend_llist_add_element(&ch->to_free.str, ©str);
+#endif
+
+ return (error == CURLE_OK ? 1 : 0);
+}
/* {{{ arginfo */
ZEND_BEGIN_ARG_INFO_EX(arginfo_curl_version, 0, 0, 0)
@@ -1323,10 +1337,6 @@
return;
}
- if (url) {
- PHP_CURL_CHECK_OPEN_BASEDIR(url, url_len, (void) NULL);
- }
-
cp = curl_easy_init();
if (!cp) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not
initialize a new cURL handle");
@@ -1362,15 +1372,10 @@
#endif
if (url) {
-#if LIBCURL_VERSION_NUM >= 0x071100
- curl_easy_setopt(ch->cp, CURLOPT_URL, url);
-#else
- char *urlcopy;
-
- urlcopy = estrndup(url, url_len);
- curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
- zend_llist_add_element(&ch->to_free.str, &urlcopy);
-#endif
+ if (!php_curl_option_url(ch, url, url_len)) {
+ _php_curl_close_ex(ch TSRMLS_CC);
+ RETURN_FALSE;
+ }
}
ZEND_REGISTER_RESOURCE(return_value, ch, le_curl);
@@ -1537,6 +1542,13 @@
case CURLOPT_FTP_FILEMETHOD:
#endif
convert_to_long_ex(zvalue);
+#if LIBCURL_VERSION_NUM >= 0x71304
+ if (((PG(open_basedir) && *PG(open_basedir)) ||
PG(safe_mode)) && (Z_LVAL_PP(zvalue) & CURLPROTO_FILE)) {
+ php_error_docref(NULL TSRMLS_CC,
E_WARNING, "CURLPROTO_FILE cannot be activated when in safe_mode or an
open_basedir is set");
+ RETVAL_FALSE;
+ return 1;
+ }
+#endif
error = curl_easy_setopt(ch->cp, option,
Z_LVAL_PP(zvalue));
break;
case CURLOPT_FOLLOWLOCATION:
@@ -1584,24 +1596,32 @@
#endif
convert_to_string_ex(zvalue);
-
- if (option == CURLOPT_URL
#if LIBCURL_VERSION_NUM >= 0x071300
- || option == CURLOPT_SSH_PUBLIC_KEYFILE ||
option == CURLOPT_SSH_PRIVATE_KEYFILE
-#endif
+ if (
+ option == CURLOPT_SSH_PUBLIC_KEYFILE || option
== CURLOPT_SSH_PRIVATE_KEYFILE
+
) {
-
PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue), 1);
+ if (php_check_open_basedir(Z_STRVAL_PP(zvalue)
TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(zvalue), "rb+",
CHECKUID_CHECK_MODE_PARAM))) {
+ RETVAL_FALSE;
+ return 1;
+ }
}
-
+#endif
+ if (option == CURLOPT_URL) {
+ if (!php_curl_option_url(ch,
Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue))) {
+ RETVAL_FALSE;
+ return 1;
+ }
+ } else {
#if LIBCURL_VERSION_NUM >= 0x071100
- /* Strings passed to libcurl as âchar *â arguments,
are copied by the library... NOTE: before 7.17.0 strings were not copied. */
- error = curl_easy_setopt(ch->cp, option,
Z_STRVAL_PP(zvalue));
+ /* Strings passed to libcurl as âchar *â
arguments, are copied by the library... NOTE: before 7.17.0 strings were not
copied. */
+ error = curl_easy_setopt(ch->cp, option,
Z_STRVAL_PP(zvalue));
#else
- copystr = estrndup(Z_STRVAL_PP(zvalue),
Z_STRLEN_PP(zvalue));
- error = curl_easy_setopt(ch->cp, option, copystr);
- zend_llist_add_element(&ch->to_free.str, ©str);
+ copystr = estrndup(Z_STRVAL_PP(zvalue),
Z_STRLEN_PP(zvalue));
+ error = curl_easy_setopt(ch->cp, option,
copystr);
+ zend_llist_add_element(&ch->to_free.str,
©str);
#endif
-
+ }
break;
}
case CURLOPT_FILE:
@@ -2233,10 +2253,8 @@
/* {{{ _php_curl_close()
List destructor for curl handles */
-static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC)
+static void _php_curl_close_ex(php_curl *ch TSRMLS_DC)
{
- php_curl *ch = (php_curl *) rsrc->ptr;
-
#if PHP_CURL_DEBUG
fprintf(stderr, "DTOR CALLED, ch = %x\n", ch);
#endif
@@ -2279,6 +2297,15 @@
}
/* }}} */
+/* {{{ _php_curl_close()
+ List destructor for curl handles */
+static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC)
+{
+ php_curl *ch = (php_curl *) rsrc->ptr;
+ _php_curl_close_ex(ch TSRMLS_CC);
+}
+/* }}} */
+
#endif /* HAVE_CURL */
/*
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
