go to bug id or search bugs for
PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir restrictions. Your release notes for 4.4.2 state that it has been fixed...but it hasn't! :-(
Here is the configure line for PHP:
'./configure' '--localstatedir=/var/hsphere/php' '--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr' '--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr' '--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp' '--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared' '--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared' '--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared' '--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared' '--with-curlwrappers' '--with-mhash=/hsphere/shared' '--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared' '--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--enable-mbstring' '--disable-debug' '--enable-pspell' '--enable-memory-limit' '--disable-files'
Changes to php.ini made:
open_basedir = /home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/
disable_functions = "pack,system"
Please fix this
$ch = curl_init("file:/etc/snmp/snmpd.conf");
It should say that open_basedir restrictions are in affect and that it couldn't retrieve file.
When the above code is run, it actually retrieves my /etc/snmpd.conf and displays it's content in my browser. BIG SECURITY concern!
Add a Patch
Add a Pull Request
This bug has been fixed in CVS.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.
> This bug has been fixed in CVS.
But that is what was claimed with this release of 4.4.2. This is why we upgraded to 4.4.2. I'm not sure about using a CVS version on production servers but I hope a final version with this fix will be coming out soon.
Feel free to try snapshots, that's why they are packaged.
You don't have to *INSTALL* a snapshot to test it.
I cannot confirm the fix in CVS, the following still works:
$ch = curl_init("file:///etc/passwd");
shows the content of /etc/passwd
using php4-STABLE-200602131136 and safe_mode=ON