php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #61210 redirection in curl incorrectly blocked if open_basedir is set
Submitted: 2012-02-29 16:00 UTC Modified: 2014-02-12 18:25 UTC
From: bk2 at me dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 5.3.10 OS: *nix
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bk2 at me dot com
New email:
PHP Version: OS:

 

 [2012-02-29 16:00 UTC] bk2 at me dot com
Description:
------------
Using the redirect option in curl is disabled if safemode OR open_basedir are
et. open_basedir is explicitly about filesystem access.

No conceivable interpretation is to stop redirection.

Function below simply redirects to Error page.
(function courtesy of Paypal utility.php, via free license)
Using it raises error "CURLOPT_FOLLOWLOCATION" disabled by safe mode or 
open_basedir is set.

Meaning you cant redirect if open_basedir is s, at least not via Curl.

The intent might be to plug some obscure hole, but the effect for anyone needing
to use cURL is to cause them NOT to set open_basedir, and hence lose all 
protection it might offer.
=============
There is nothing in the Curl or open_basedir documentation to indicate this
is the intent of PHP.NET 

Test script:
---------------
// any test script calling for curl redirect
PPError("Testmsg", 0);

function PPError($error_msg, $error_no) {
		// create a new curl resource
		$ch = curl_init();

		// set URL and other appropriate options
		$php_self = substr(htmlspecialchars($_SERVER["PHP_SELF"]), 1); // remove the leading /
		$redirectURL = Utils::getURL("/error.php");
		curl_setopt($ch, CURLOPT_URL, $redirectURL);
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

		// set POST fields
		$postFields = "error_msg=".urlencode($error_msg)."&error_no=".urlencode($error_no);
		curl_setopt($ch, CURLOPT_POST, true);
		curl_setopt($ch,CURLOPT_POSTFIELDS,$postFields);

		// grab URL, and print
		curl_exec($ch);
		curl_close($ch);
	}

Expected result:
----------------
Redirect to page
<path>/error.php?error_msg=testmsg&error_no=0

Actual result:
--------------
raises error (paraphrased)
"CURLOPT_FOLLOWLOCATION" disabled by safe mode or open_basedir is set

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-12 18:25 UTC] tyrael@php.net
-Status: Open +Status: Duplicate
 [2014-02-12 18:25 UTC] tyrael@php.net
This check has a reason behind it, but with a modern libcurl version, this check can be skipped, as curl by default will reject file:// location responses.
This is already implemented and will probably land with PHP 5.6:
https://bugs.php.net/bug.php?id=65646
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Jan 24 03:01:25 2021 UTC