php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #61210 redirection in curl incorrectly blocked if open_basedir is set
Submitted: 2012-02-29 16:00 UTC Modified: 2014-02-12 18:25 UTC
From: bk2 at me dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 5.3.10 OS: *nix
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bk2 at me dot com
New email:
PHP Version: OS:

 

 [2012-02-29 16:00 UTC] bk2 at me dot com
Description:
------------
Using the redirect option in curl is disabled if safemode OR open_basedir are
et. open_basedir is explicitly about filesystem access.

No conceivable interpretation is to stop redirection.

Function below simply redirects to Error page.
(function courtesy of Paypal utility.php, via free license)
Using it raises error "CURLOPT_FOLLOWLOCATION" disabled by safe mode or 
open_basedir is set.

Meaning you cant redirect if open_basedir is s, at least not via Curl.

The intent might be to plug some obscure hole, but the effect for anyone needing
to use cURL is to cause them NOT to set open_basedir, and hence lose all 
protection it might offer.
=============
There is nothing in the Curl or open_basedir documentation to indicate this
is the intent of PHP.NET 

Test script:
---------------
// any test script calling for curl redirect
PPError("Testmsg", 0);

function PPError($error_msg, $error_no) {
		// create a new curl resource
		$ch = curl_init();

		// set URL and other appropriate options
		$php_self = substr(htmlspecialchars($_SERVER["PHP_SELF"]), 1); // remove the leading /
		$redirectURL = Utils::getURL("/error.php");
		curl_setopt($ch, CURLOPT_URL, $redirectURL);
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

		// set POST fields
		$postFields = "error_msg=".urlencode($error_msg)."&error_no=".urlencode($error_no);
		curl_setopt($ch, CURLOPT_POST, true);
		curl_setopt($ch,CURLOPT_POSTFIELDS,$postFields);

		// grab URL, and print
		curl_exec($ch);
		curl_close($ch);
	}

Expected result:
----------------
Redirect to page
<path>/error.php?error_msg=testmsg&error_no=0

Actual result:
--------------
raises error (paraphrased)
"CURLOPT_FOLLOWLOCATION" disabled by safe mode or open_basedir is set

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-12 18:25 UTC] tyrael@php.net
-Status: Open +Status: Duplicate
 [2014-02-12 18:25 UTC] tyrael@php.net
This check has a reason behind it, but with a modern libcurl version, this check can be skipped, as curl by default will reject file:// location responses.
This is already implemented and will probably land with PHP 5.6:
https://bugs.php.net/bug.php?id=65646
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC