MFH: Missing safe_mode/open_basedir checks for file uploads.

2 files changed, 7 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 536b633819..785c56f1e9 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,7 @@ PHP                                                                        NEWS
   . ext/oracle (Jani, Derick)
   . ext/ovrimos (Jani, Derick, Pierre)
   . ext/pfpro (Jani, Derick, Pierre)
+- Added missing safe_mode/open_basedir checks for file uploads. (Ilia)
 - Fixed possible INI setting leak via virtual() in Apache 2 sapi. (Ilia)
 - Fixed potential GLOBALS overwrite via import_request_variables() and
   possible crash and/or memory corruption. (Ilia)
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 630a85a5e2..e7091d87d2 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1146,10 +1146,15 @@ PHP_FUNCTION(curl_setopt)
 					 * must be explicitly cast to long in curl_formadd
 					 * use since curl needs a long not an int. */
 					if (*postval == '@') {
+						++postval;
+						/* safe_mode / open_basedir check */
+						if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+							RETURN_FALSE;
+						}
 						error = curl_formadd(&first, &last, 
 											 CURLFORM_COPYNAME, string_key,
 											 CURLFORM_NAMELENGTH, (long)string_key_len - 1,
-											 CURLFORM_FILE, ++postval, 
+											 CURLFORM_FILE, postval, 
 											 CURLFORM_END);
 					} else {
 						error = curl_formadd(&first, &last,