Fix GH-16802: open_basedir bypass using curl extension

And fix a memleak while here.

Closes GH-16804.

Fix GH-16723: CURLMOPT_PUSHFUNCTION issues

We copy the source handler's FCCs to those of the destination.

We also fix the erroneous test assumption that the trampoline wouldn't

Fix GH-16723: CURLMOPT_PUSHFUNCTION issues

We copy the source handler's FCCs to those of the destination.

We also fix the erroneous test assumption that the trampoline wouldn't
be called.

Closes GH-16732.

show more ...

Fix GH-16359 curl write callback crash on FCC usage w/o user function.

close GH-16362

ext/curl: Add `CURLINFO_POSTTRANSFER_TIME_T` support (GH-15849)

libcurl ref: [`CURLINFO_POSTTRANSFER_TIME_T`](https://curl.se/libcurl/c/CURLINFO_POSTTRANSFER_TIME_T.html)

`CURLINFO_

ext/curl: Add `CURLINFO_POSTTRANSFER_TIME_T` support (GH-15849)

libcurl ref: [`CURLINFO_POSTTRANSFER_TIME_T`](https://curl.se/libcurl/c/CURLINFO_POSTTRANSFER_TIME_T.html)

`CURLINFO_POSTTRANSFER_TIME_T` is a libcurl info option that returns
the time it took to "post" the transfer. Available since libcurl 8.10.0

This value is also exposed as `posttransfer_time_us` in the
`curl_getinfo()` return value when the `$option` parameter is not
passed.

show more ...

ext/curl: Add `CURLOPT_DEBUGFUNCTION` option (GH-15674)

This adds support for `CURLOPT_DEBUGFUNCTION`[^1] Curl option to set a
custom callback that gets called with debug information dur

ext/curl: Add `CURLOPT_DEBUGFUNCTION` option (GH-15674)

This adds support for `CURLOPT_DEBUGFUNCTION`[^1] Curl option to set a
custom callback that gets called with debug information during the
lifetime of a Curl request.

The callback gets called with the `CurlHandle` object, an integer
containing the type of the debug message, and a string containing the
debug message. The callback may get called multiple times with the
same message type during a request.

PHP already uses `CURLOPT_DEBUGFUNCTION` functionality to internally
to expose a Curl option named `CURLINFO_HEADER_OUT`.

However,`CURLINFO_HEADER_OUT` is not a "real" Curl option supported
by libcurl. Back in 2006, `CURLINFO_HEADER_OUT` was added[^2] as
a Curl option by using the debug-callback feature. Git history does
not run that back to show why `CURLINFO_HEADER_OUT` was added as a
Curl option, and why the other debug types (such as
`CURLINFO_HEADER_IN` were not added as Curl options, but this seems
to be a historical artifact when we added features without trying
to be close to libcurl options.

This approach has a few issues:

1. `CURLINFO_HEADER_OUT` is not an actual Curl option supported by
upstream libcurl.

2. All of the Curl options have `CURLOPT_` prefix, and `CURLINFO_HEADER_OUT`
is the only Curl "option" that uses the `CURLINFO` prefix. This exception
is, however, noted[^3] in docs.

3. When `CURLINFO_HEADER_OUT` is set, the `CURLOPT_VERBOSE` is also implicitly
set. This was reported[^4] to bugs.php.net, but the bug is marked as wontfix.

This commit adds support for `CURLOPT_DEBUGFUNCTION`. It extends the existing
`curl_debug` callback to store the header-in information if it encounters
a debug message with `CURLINFO_HEADER_OUT`. In all cases, if a callable
is set, it gets called.

`CURLOPT_DEBUGFUNCTION` intends to replace `CURLINFO_HEADER_OUT` Curl
option as a versatile alternative that can also be used to extract
other debug information such as SSL data, text information messages,
incoming headers, as well as headers sent out (which `CURLINFO_HEADER_OUT`
makes available).

The callables are allowed to throw exceptions, but the return values are
ignored.

`CURLOPT_DEBUGFUNCTION` requires `CURLOPT_VERBOSE` enabled, and setting
`CURLOPT_DEBUGFUNCTION` does _not_ implicitly enable `CURLOPT_VERBOSE`.

If the `CURLOPT_DEBUGFUNCTION` option is set, setting `CURLINFO_HEADER_OUT`
throws a `ValueError` exception. Setting `CURLOPT_DEBUGFUNCTION` _after_
enabling `CURLINFO_HEADER_OUT` is allowed. Technically, it is possible
for both functionality (calling user-provided callback _and_ storing
header-out data) is possible, setting `CURLINFO_HEADER_OUT` is not
allowed to encourage the use of `CURLOPT_DEBUGFUNCTION` function.

This commit also adds the rest of the `CURLINFO_` constants used as
the `type` integer value in `CURLOPT_DEBUGFUNCTION` callback.

---

[^1]: [cur.se - CURLOPT_DEBUGFUNCTION](https://curl.se/libcurl/c/CURLOPT_DEBUGFUNCTION.html)
[^2]: [`5f25d80`](https://github.com/php/php-src/commit/5f25d80d106004692dacb9c01cdc49c7c883a13a)
[^3]: [curl_setopt doc mentioning `CURLINFO_` prefix is intentional](https://www.php.net/manual/en/function.curl-setopt.php#:~:text=prefix%20is%20intentional)
[^4]: [bugs.php.net - `CURLOPT_VERBOSE` does not work with `CURLINFO_HEADER_OUT`](https://bugs.php.net/bug.php?id=65348)

show more ...

ext/curl: No-op `CURLOPT_DNS_USE_GLOBAL_CACHE` constant (GH-15127)

Libcurl `CURLOPT_DNS_USE_GLOBAL_CACHE` constant is no longer supported
since libcurl[^1] 7.62. This no-ops the constant

ext/curl: No-op `CURLOPT_DNS_USE_GLOBAL_CACHE` constant (GH-15127)

Libcurl `CURLOPT_DNS_USE_GLOBAL_CACHE` constant is no longer supported
since libcurl[^1] 7.62. This no-ops the constant, but without causing
any deprecation notices.

[^1]: [CURLOPT_DNS_USE_GLOBAL_CACHE](https://curl.se/libcurl/c/CURLOPT_DNS_USE_GLOBAL_CACHE.html)

show more ...

ext/curl: libcurl `CURLOPT_{FTP_RESPONSE_TIMEOUT,ENCODING}` replacements (#15126)

ext/curl: Add `CURLOPT_PREREQFUNCTION` (#13255)

Curl >= 7.80.0 supports declaring a function for `CURLOPT_PREREQFUNCTION` option
that gets called after Curl establishes a connection (inc

ext/curl: Add `CURLOPT_PREREQFUNCTION` (#13255)

Curl >= 7.80.0 supports declaring a function for `CURLOPT_PREREQFUNCTION` option
that gets called after Curl establishes a connection (including the TLS handshake
for HTTPS connections), but before the actual request is made.

The callable must return either `CURL_PREREQFUNC_OK` or `CURL_PREREQFUNC_ABORT` to
allow or abort the request.

This adds support for it to PHP with required ifdef.

- libc: https://curl.se/libcurl/c/CURLOPT_PREREQFUNCTION.html

Co-authored-by: Gina Peter Bnayard <girgias@php.net>

show more ...

GH-15440: adding CURLOPT_TCP_KEEPCNT constant (8.9.0) (#15446)

close GH-15446

ext/curl: curl_error using curl_easy_strerror if CURLOPT_ERRORBUFFER

did not fill the error buffer.

close GH-14984

Remove unused SMART_STR_PREALLOC (#14848)

Preferably include from build dir (#13516)

* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Preferably include from build dir (#13516)

* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Before, out of tree builds would preferably include files from the src dir, as
the include path was defined as follows (ignoring includes from ext/ and sapi/) :

-I$(top_builddir)/main
-I$(top_srcdir)
-I$(top_builddir)/TSRM
-I$(top_builddir)/Zend
-I$(top_srcdir)/main
-I$(top_srcdir)/Zend
-I$(top_srcdir)/TSRM
-I$(top_builddir)/

As a result, an out of tree build would include configure artifacts such as
`main/php_config.h` from the src dir.

After this change, the include path is defined as follows:

-I$(top_builddir)/main
-I$(top_builddir)
-I$(top_srcdir)/main
-I$(top_srcdir)
-I$(top_builddir)/TSRM
-I$(top_builddir)/Zend
-I$(top_srcdir)/Zend
-I$(top_srcdir)/TSRM

* Fix extension include path for out of tree builds

* Include config.h with the brackets form

`#include "config.h"` searches in the directory containing the including-file
before any other include path. This can include the wrong config.h when building
out of tree and a config.h exists in the source tree.

Using `#include <config.h>` uses exclusively the include path, and gives
priority to the build dir.

show more ...

curl: change uses of sprintf into snprintf

ext/curl: Fix [-Wsign-compare] warning

Callable curl options should be nullable

symfony/http-client/Response/CurlResponse.php depends on this behavior.

Closes GH-14165

ext/curl: Refactor cURL to only use FCC (#13291)

* ext/curl: Convert handlers.progress to just be a FCC

* ext/curl: Convert handlers.sshhostkey to just be a FCC

* ext/curl:

ext/curl: Refactor cURL to only use FCC (#13291)

* ext/curl: Convert handlers.progress to just be a FCC

* ext/curl: Convert handlers.sshhostkey to just be a FCC

* ext/curl: Convert handlers.xferinfo to just be a FCC

* ext/curl: Convert handlers.fnmatch to just be a FCC

* ext/curl: Convert handlers.server_push to just be a FCC

* ext/curl: Convert php_curl_write to just use FCC without a function name zval

* ext/curl: Convert php_curl_read to just use FCC without a function name zval

* ext/curl: Remove workaround for old libcurl

* ext/curl: Create macros to codegen the handling of callable options

show more ...

ext/curl: Add `feature_info` assoc array to `curl_version()` (#13439)

The `phpinfo()` section of the Curl extension lists individual features
supported by the particular ext-Curl + libcu

ext/curl: Add `feature_info` assoc array to `curl_version()` (#13439)

The `phpinfo()` section of the Curl extension lists individual features
supported by the particular ext-Curl + libcurl build. However, the
`curl_version()` function return values do not indicate the same level of
details.

`curl_version()` has a `protocols` key that returns an array of all protocols
supported by the build. But the `features` key is a bitmask of all the features.
Checking the availability of certain feature requires knowing the corresponding
`CURL_VERSION` constant, and checking the availability of the constant and a
bitmask check for it in the `features` value.

For example, to determine HTTP2 support, it requires evaluating:

```php
defined('CURL_VERSION_HTTP2') && (curl_version()['features'] & CURL_VERSION_HTTP2 === CURL_VERSION_HTTP2)
```

To make feature availability checks more intuitive, this adds a new
`feature_list` key to `curl_version()` output array.

With it, checking for individual features availability is easier, and does
not require inspecting the availability of the `CURL_VERSION` constant and
the `features` key.

```php
!empty(curl_version()['feature_list']['HTTP2']);
```

show more ...

ext/curl: Bump minimum Curl version to >= 7.61.0 (#13259)

Bumps the minimum required libcurl version to 7.61.0.

Please also see #4917, which bumped minimum libcurl version to the cu

ext/curl: Bump minimum Curl version to >= 7.61.0 (#13259)

Bumps the minimum required libcurl version to 7.61.0.

Please also see #4917, which bumped minimum libcurl version to the current >= 7.29.0.
This bumps the minimum requirement to Curl 7.61.0 (released 2018 Sept).

Ubuntu, Debian, RHEL, and RHEL derivatives have major and LTS version bumps this year. Following are the
libcurl-dev/libcurl-devel versions available in the oldest supported (LTS or otherwise) in major OSs.

- Debian buster: [7.64](https://packages.debian.org/buster/libcurl4-openssl-dev)
- Ubuntu 20.04: [7.68](https://packages.ubuntu.com/focal/libcurl-dev)
- CentOS/RHEL 7: 7.29
- RHEL 8/Rocky 8/EL 8: 7.61
- Fedora 38: 7.87

RHEL/CentOS 7 reaches EOL mid 2024, so for PHP 8.4 scheduled towards the end of this year, we can safely
bump the minimum libcurl version.

7.61.0 was selected as the new minimum because RHEL and derivatives have libcurl-devel version 7.61. RHEL 8 is
a current and supported RHEL version.

show more ...

Add new curl constants from curl until (including) 7.87 (#10459)

Fixes GH-10454

Fix GH-11433: Unable to set CURLOPT_ACCEPT_ENCODING to NULL

Closes GH-11446.

More usage of known zend_str instead of C string (#11381)

ext/curl: Protocol should be a case insensitive check (#11052)

Minor drive-by refactoring to use the new API

ext/curl: suppress -Wdeprecated-declarations in curl_arginfo.h

Disable the warning before including curl_arginfo.h.

(Follow-up for https://github.com/php/php-src/pull/10531)

Fixed bug GH-10270 Unable to return CURL_READFUNC_PAUSE in readfunc callback

Closes GH-10607

Signed-off-by: George Peter Banyard <girgias@php.net>

Make lots of string pointers `const` (#10646)

This allows using string literals without implicitly casting away the
`const`.