php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #77991 Expose cURL URL parsing functions
Submitted: 2019-05-08 11:23 UTC Modified: -
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: martijn at vanderven dot se Assigned:
Status: Open Package: cURL related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-05-08 11:23 UTC] martijn at vanderven dot se
Description:
------------
Since curl 7.62.0 [1] there has been a URL Parser [2] available from libcurl. It would be great if PHP could expose those through ext/curl.

Getting access to those functions would help in securing applications against a number of SSRF attacks [3] that depend on projects using a different URL parser for URL validation than used by the HTTP library for issuing the request.

See Orange Tsai’s amazing presentation about this at Black Hat USA 2017 [4][5].



[1]: https://daniel.haxx.se/blog/2018/10/31/curl-7-62-0-moar-stuff/
[2]: https://daniel.haxx.se/blog/2018/09/09/libcurl-gets-a-url-api/
[3]: https://www.owasp.org/index.php/Server_Side_Request_Forgery
[4]: https://www.blackhat.com/us-17/briefings.html#a-new-era-of-ssrf-exploiting-url-parser-in-trending-programming-languages
[5]: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 08 21:01:25 2019 UTC