summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIlia Alshanetsky <iliaa@php.net>2006-05-21 16:32:51 +0000
committerIlia Alshanetsky <iliaa@php.net>2006-05-21 16:32:51 +0000
commited53169150e5bddbf998e6e160985ad1d6226c37 (patch)
tree0f80d289b29e2f3282c5a1ddf26edeacb9822371
parenta2e5235b927deedc1decdf655c8283b19adc9069 (diff)
downloadphp-git-ed53169150e5bddbf998e6e160985ad1d6226c37.tar.gz
MFH: Added control character checks for cURL extension's
open_basedir/safe_mode checks.
Diffstat
-rw-r--r--NEWS2
-rw-r--r--ext/curl/curl.c7
2 files changed, 8 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 2ee7e5de68..027ee411e7 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
PHP 4 NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2006, Version 4.4.3
+- Added control character checks for cURL extension's open_basedir/safe_mode
+ checks. (Ilia)
- Fixed a possible buffer overflow inside create_named_pipe() for Win32 systems
in libmysql.c. (Ilia)
- Updated PCRE to version 6.6. (Andrei)
diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index 931aafaeb4..2f73da2213 100644
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -162,11 +162,16 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
strncasecmp(str, "file:", sizeof("file:") - 1) == 0) \
{ \
php_url *tmp_url; \
- \
+ \
if (!(tmp_url = php_url_parse_ex(str, len))) { \
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str); \
RETURN_FALSE; \
} \
+ \
+ if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Url '%s' contains unencoded control characters.", str); \
+ RETURN_FALSE; \
+ } \
\
if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
View Lorry Controller Status