From 3ea7ce2ca71bdf2acebdc2231a7a3be0ab74941e Mon Sep 17 00:00:00 2001
From: bohwaz <github.bohwaz@miam.kd2.org>
Date: Sun, 24 Mar 2024 19:04:23 +0100
Subject: [PATCH] Forbid file:// protocol in Curl

---
 config/default.rules      | 4 ++++
 config/default_php8.rules | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/config/default.rules b/config/default.rules
index 2fa77d51..a3e779b7 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -112,6 +112,10 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
 sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
 sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
 
+# Ensure that file:// protocol is not allowed in CURL
+sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
+sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
+
 # File upload
 # On old PHP7 versions
 #sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
diff --git a/config/default_php8.rules b/config/default_php8.rules
index 98cc0db8..a4d89953 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -112,6 +112,10 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
 sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
 sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
 
+# Ensure that file:// protocol is not allowed in CURL
+sp.disable_function.function("curl_setopt").param("value").value_r("file://").drop().alias("file:// protocol is disabled");
+sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
+
 # File upload
 sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();