|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36223 curl bypasses open_basedir restrictions
Submitted: 2006-01-31 11:18 UTC Modified: 2006-02-13 13:21 UTC
From: stevewest15 at yahoo dot com Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.4.2 OS: Redhat Enterprise 3.6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: stevewest15 at yahoo dot com
New email:
PHP Version: OS:


 [2006-01-31 11:18 UTC] stevewest15 at yahoo dot com
PHP 4.4.2 still has the bug which allows CURL to bypass open_basedir restrictions. Your release notes for 4.4.2 state that it has been fixed...but it hasn't! :-(

Here is the configure line for PHP:

'./configure' '--localstatedir=/var/hsphere/php' '--with-apxs=/hsphere/shared/apache/bin/apxs' '--with-openssl=/usr' '--with-zlib=/usr' '--with-zlib-dir=/usr' '--with-bz2=/usr' '--enable-calendar' '--with-jpeg-dir=/hsphere/shared' '--enable-ftp' '--with-gd' '--with-ttf' '--with-freetype-dir=/hsphere/shared' '--enable-gd-native-ttf' '--with-png-dir=/hsphere/shared' '--with-gettext=/hsphere/shared' '--with-imap=/hsphere/shared' '--with-mysql=//usr' '--with-pgsql=//usr' '--with-curl=/hsphere/shared' '--with-curlwrappers' '--with-mhash=/hsphere/shared' '--with-mcrypt=/hsphere/shared' '--with-iconv=/hsphere/shared' '--enable-sockets' '--with-zip=/hsphere/shared' '--enable-versioning' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--enable-mbstring' '--disable-debug' '--enable-pspell' '--enable-memory-limit' '--disable-files'

Changes to php.ini made:

open_basedir = /home/hsphere/shared/apache/htdocs/:/usr/local/lib/php/:/tmp/

disable_functions = "pack,system"

Please fix this 

Reproduce code:
$ch = curl_init("file:/etc/snmp/snmpd.conf");
echo $file

Expected result:
It should say that open_basedir restrictions are in affect and that it couldn't retrieve file.

Actual result:
When the above code is run, it actually retrieves my /etc/snmpd.conf and displays it's content in my browser. BIG SECURITY concern!


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-31 11:57 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2006-02-01 09:06 UTC] stevewest15 at yahoo dot com
> This bug has been fixed in CVS.

But that is what was claimed with this release of 4.4.2. This is why we upgraded to 4.4.2. I'm not sure about using a CVS version on production servers but I hope a final version with this fix will be coming out soon.


 [2006-02-01 09:25 UTC]
Feel free to try snapshots, that's why they are packaged.
You don't have to *INSTALL* a snapshot to test it.
 [2006-02-13 13:21 UTC]
I cannot confirm the fix in CVS, the following still works:

$ch = curl_init("file:///etc/passwd");
echo $file

shows the content of /etc/passwd

using php4-STABLE-200602131136 and safe_mode=ON
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Dec 07 01:01:28 2023 UTC