Fixed a potential security problem.

sabre-io · Feb 9, 2014 · 1ba1938 · 1ba1938
1 parent 7f5f763
commit 1ba1938
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+2.0.2-stable (2014-02-09)
+	* Fixed: Potential security problem in the client.
+
 2.0.1-stable (2014-01-09)
 	* Fixed: getBodyAsString on an empty body now works.
 	* Fixed: Version string

diff --git a/lib/Sabre/HTTP/Client.php b/lib/Sabre/HTTP/Client.php
@@ -379,8 +379,10 @@ protected function createCurlSettingsArray(RequestInterface $request) {
                     $settings[CURLOPT_PUT] = true;
                     $settings[CURLOPT_INFILE] = $request->getBody();
                 } else {
-                    // Else, it's a string.
-                    $settings[CURLOPT_POSTFIELDS] = $body;
+                    // For security we cast this to a string. If somehow an array could
+                    // be passed here, it would be possible for an attacker to use @ to
+                    // post local files.
+                    $settings[CURLOPT_POSTFIELDS] = (string)$body;
                 }
                 $settings[CURLOPT_CUSTOMREQUEST] = $request->getMethod();
                 break;

diff --git a/lib/Sabre/HTTP/Version.php b/lib/Sabre/HTTP/Version.php
@@ -14,6 +14,6 @@ class Version {
     /**
      * Full version number
      */
-    const VERSION = '2.0.1';
+    const VERSION = '2.0.2';
 
 }