php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #77991 Expose cURL URL parsing functions
Submitted: 2019-05-08 11:23 UTC Modified: -
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: martijn at vanderven dot se Assigned:
Status: Open Package: cURL related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: martijn at vanderven dot se
New email:
PHP Version: OS:

 

 [2019-05-08 11:23 UTC] martijn at vanderven dot se
Description:
------------
Since curl 7.62.0 [1] there has been a URL Parser [2] available from libcurl. It would be great if PHP could expose those through ext/curl.

Getting access to those functions would help in securing applications against a number of SSRF attacks [3] that depend on projects using a different URL parser for URL validation than used by the HTTP library for issuing the request.

See Orange Tsai’s amazing presentation about this at Black Hat USA 2017 [4][5].



[1]: https://daniel.haxx.se/blog/2018/10/31/curl-7-62-0-moar-stuff/
[2]: https://daniel.haxx.se/blog/2018/09/09/libcurl-gets-a-url-api/
[3]: https://www.owasp.org/index.php/Server_Side_Request_Forgery
[4]: https://www.blackhat.com/us-17/briefings.html#a-new-era-of-ssrf-exploiting-url-parser-in-trending-programming-languages
[5]: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 11:01:29 2024 UTC