diff options
author | Ilia Alshanetsky <iliaa@php.net> | 2006-05-21 16:32:51 +0000 |
---|---|---|
committer | Ilia Alshanetsky <iliaa@php.net> | 2006-05-21 16:32:51 +0000 |
commit | ed53169150e5bddbf998e6e160985ad1d6226c37 (patch) | |
tree | 0f80d289b29e2f3282c5a1ddf26edeacb9822371 | |
parent | a2e5235b927deedc1decdf655c8283b19adc9069 (diff) | |
download | php-git-ed53169150e5bddbf998e6e160985ad1d6226c37.tar.gz |
MFH: Added control character checks for cURL extension's
open_basedir/safe_mode checks.
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/curl/curl.c | 7 |
2 files changed, 8 insertions, 1 deletions
@@ -1,6 +1,8 @@ PHP 4 NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2006, Version 4.4.3 +- Added control character checks for cURL extension's open_basedir/safe_mode + checks. (Ilia) - Fixed a possible buffer overflow inside create_named_pipe() for Win32 systems in libmysql.c. (Ilia) - Updated PCRE to version 6.6. (Andrei) diff --git a/ext/curl/curl.c b/ext/curl/curl.c index 931aafaeb4..2f73da2213 100644 --- a/ext/curl/curl.c +++ b/ext/curl/curl.c @@ -162,11 +162,16 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC); strncasecmp(str, "file:", sizeof("file:") - 1) == 0) \ { \ php_url *tmp_url; \ - \ + \ if (!(tmp_url = php_url_parse_ex(str, len))) { \ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str); \ RETURN_FALSE; \ } \ + \ + if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Url '%s' contains unencoded control characters.", str); \ + RETURN_FALSE; \ + } \ \ if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ |