|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31305 The cURL function bypasses open_basedir restriction
Submitted: 2004-12-26 23:52 UTC Modified: 2004-12-27 01:22 UTC
From: pavel at msmu dot ru Assigned:
Status: Not a bug Package: cURL related
PHP Version: 4.3.10 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
11 - 4 = ?
Subscribe to this entry?

 [2004-12-26 23:52 UTC] pavel at msmu dot ru
It is possible to access a file which is outside directory specified in open_basedir directive.

This bug is really easy to reproduce - just set some open_basedir and try to read the contents of, for example, /etc/passwd

I didn't find this bug, I read about it on security-related web-site, checked it, and it worked :(

Reproduce code:
$var1 = curl_init("file:///etc/passwd");
echo $anyfile

Expected result:
I would expect an error in the log saying about open_basedir restriction and access to the file being denied.

Actual result:
you'll get the contents of /etc/passwd


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-27 01:22 UTC]
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

Dup of #30609
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Jun 04 19:01:23 2020 UTC