diff options
author | Stanislav Malyshev <stas@php.net> | 2014-09-28 17:53:49 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-10-13 23:16:06 -0700 |
commit | ab0939e5e5449cba04b02fff3a5595f725bce0a0 (patch) | |
tree | b3450473c91215fda7d12ed65b22a8c3ec83cd7e | |
parent | 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 (diff) | |
download | php-git-ab0939e5e5449cba04b02fff3a5595f725bce0a0.tar.gz |
Fix bug #68089 - do not accept options with embedded \0
Conflicts:
ext/curl/interface.c
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/curl/interface.c | 6 | ||||
-rw-r--r-- | ext/curl/tests/bug68089.phpt | 18 |
3 files changed, 27 insertions, 0 deletions
@@ -11,6 +11,9 @@ PHP NEWS . Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669) (Stas) +- cURL: + . Fixed bug #68089 (NULL byte injection - cURL lib). (Stas) + - OpenSSL: . Reverted fixes for bug #41631, due to regressions. (Stas) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 8915625047..23b125238d 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -170,6 +170,12 @@ static int php_curl_option_url(php_curl *ch, const char *url, const int len TSRM #if LIBCURL_VERSION_NUM < 0x071100 char *copystr = NULL; #endif + + if (strlen(url) != len) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Curl option contains invalid characters (\\0)"); + return 0; + } + /* Disable file:// if open_basedir are used */ if (PG(open_basedir) && *PG(open_basedir)) { #if LIBCURL_VERSION_NUM >= 0x071304 diff --git a/ext/curl/tests/bug68089.phpt b/ext/curl/tests/bug68089.phpt new file mode 100644 index 0000000000..3bd5889709 --- /dev/null +++ b/ext/curl/tests/bug68089.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #68089 (NULL byte injection - cURL lib) +--SKIPIF-- +<?php +include 'skipif.inc'; + +?> +--FILE-- +<?php +$url = "file:///etc/passwd\0http://google.com"; +$ch = curl_init(); +var_dump(curl_setopt($ch, CURLOPT_URL, $url)); +?> +Done +--EXPECTF-- +Warning: curl_setopt(): Curl option contains invalid characters (\0) in %s/bug68089.php on line 4 +bool(false) +Done |