php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #61210 redirection in curl incorrectly blocked if open_basedir is set
Submitted: 2012-02-29 16:00 UTC Modified: 2014-02-12 18:25 UTC
From: bk2 at me dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 5.3.10 OS: *nix
Private report: No CVE-ID: None
 [2012-02-29 16:00 UTC] bk2 at me dot com
Description:
------------
Using the redirect option in curl is disabled if safemode OR open_basedir are
et. open_basedir is explicitly about filesystem access.

No conceivable interpretation is to stop redirection.

Function below simply redirects to Error page.
(function courtesy of Paypal utility.php, via free license)
Using it raises error "CURLOPT_FOLLOWLOCATION" disabled by safe mode or 
open_basedir is set.

Meaning you cant redirect if open_basedir is s, at least not via Curl.

The intent might be to plug some obscure hole, but the effect for anyone needing
to use cURL is to cause them NOT to set open_basedir, and hence lose all 
protection it might offer.
=============
There is nothing in the Curl or open_basedir documentation to indicate this
is the intent of PHP.NET 

Test script:
---------------
// any test script calling for curl redirect
PPError("Testmsg", 0);

function PPError($error_msg, $error_no) {
		// create a new curl resource
		$ch = curl_init();

		// set URL and other appropriate options
		$php_self = substr(htmlspecialchars($_SERVER["PHP_SELF"]), 1); // remove the leading /
		$redirectURL = Utils::getURL("/error.php");
		curl_setopt($ch, CURLOPT_URL, $redirectURL);
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

		// set POST fields
		$postFields = "error_msg=".urlencode($error_msg)."&error_no=".urlencode($error_no);
		curl_setopt($ch, CURLOPT_POST, true);
		curl_setopt($ch,CURLOPT_POSTFIELDS,$postFields);

		// grab URL, and print
		curl_exec($ch);
		curl_close($ch);
	}

Expected result:
----------------
Redirect to page
<path>/error.php?error_msg=testmsg&error_no=0

Actual result:
--------------
raises error (paraphrased)
"CURLOPT_FOLLOWLOCATION" disabled by safe mode or open_basedir is set

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-12 18:25 UTC] tyrael@php.net
-Status: Open +Status: Duplicate
 [2014-02-12 18:25 UTC] tyrael@php.net
This check has a reason behind it, but with a modern libcurl version, this check can be skipped, as curl by default will reject file:// location responses.
This is already implemented and will probably land with PHP 5.6:
https://bugs.php.net/bug.php?id=65646
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Nov 28 14:01:23 2020 UTC