Ilia, I think you wrote this. Could you help me understand what you
were trying to do in the open basedir check macro:
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret)
if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&
strncasecmp(str, "file:", sizeof("file:") - 1) == 0)
So this check is only applied to file: urls passed to curl when either
safe_mode or open_basedir is set. Ok
{
php_url *tmp_url;
if (!(tmp_url = php_url_parse_ex(str, len))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL
'%s'", str);
php_curl_ret(__ret);
}
And this invalid URL check makes sense too. url_parse couldn't grok it.
if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str +
len)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s'
contains unencoded control characters.", str);
php_url_free(tmp_url);
php_curl_ret(__ret);
}
This memnstr call makes no sense to me. str is going to be
file:///some/path/some_file.txt so tmp_url->path is going to be
"/some/path" memnstr returns the char * to the beginning of
"/some/path" in "file:///some/path/some_file.txt" which would be str+7
which is obviously non-false which means the warning message about
unencoded control chars is printed. Did you perhaps mean !php_memnstr
there? But php_memnstr() is binary-safe, so you are relying on the
url_parse function to have replaced the control chars in the middle of
the path to make it not match? Or what exactly are you trying to catch
with this check?
-Rasmus