Fix GH-16802: open_basedir bypass using curl extension #16804
Conversation
And fix a memleak while here.
ext/curl/tests/gh16802.phpt
Outdated
| curl | ||
| --SKIPIF-- | ||
| <?php | ||
| if (PHP_OS_FAMILY === "Windows") die("skip not for Windows"); |
There was a problem hiding this comment.
Why not? The test passes for me (checked master only, though).
There was a problem hiding this comment.
Because the file paths are Linux file paths. It passes because the check prevents the access anyway, but I didn't want to deal with Windows and check what happens if the patch is not applied. I can remove this check if you want.
There was a problem hiding this comment.
Without the patch, only the fourth curl_setopt() would trigger a warning, and curl_exec() would return false (with CURLOPT_VERBOSE "Protocol "file" disabled" is reported). So the actual file:// URI wouldn't matter. Doing curl_exec() after each curl_setopt() would only fail due to "Couldn't open file /etc/passwd" for the first exec; the three following curl_exec() would fail due to "Protocol "file" disabled" (still without the patch).
Anyhow, since the open_basedir value doesn't matter, we could use "file://" . str_replace("\\", "/", __FILE__) instead of file://etc/passwd, but it seems to me checking for the warnings is good enough. Even the curl_exec() is not really relevant.
There was a problem hiding this comment.
Even the curl_exec() is not really relevant.
Yes it is, because we want to check that the path is actually blocked, e.g. it could be broken in a way that warns but still allows the path.
Anyway I'll just drop the Windows skipif
And fix a memleak while here.