php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #77991 Expose cURL URL parsing functions
Submitted: 2019-05-08 11:23 UTC Modified: -
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: martijn at vanderven dot se Assigned:
Status: Open Package: cURL related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: martijn at vanderven dot se
New email:
PHP Version: OS:

 

 [2019-05-08 11:23 UTC] martijn at vanderven dot se 
Description:
------------
Since curl 7.62.0 [1] there has been a URL Parser [2] available from libcurl. It would be great if PHP could expose those through ext/curl.

Getting access to those functions would help in securing applications against a number of SSRF attacks [3] that depend on projects using a different URL parser for URL validation than used by the HTTP library for issuing the request.

See Orange Tsai’s amazing presentation about this at Black Hat USA 2017 [4][5].



[1]: https://daniel.haxx.se/blog/2018/10/31/curl-7-62-0-moar-stuff/
[2]: https://daniel.haxx.se/blog/2018/09/09/libcurl-gets-a-url-api/
[3]: https://www.owasp.org/index.php/Server_Side_Request_Forgery
[4]: https://www.blackhat.com/us-17/briefings.html#a-new-era-of-ssrf-exploiting-url-parser-in-trending-programming-languages
[5]: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

Patches

Pull Requests
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 08:01:29 2024 UTC