|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #61210 redirection in curl incorrectly blocked if open_basedir is set
Submitted: 2012-02-29 16:00 UTC Modified: 2014-02-12 18:25 UTC
From: bk2 at me dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 5.3.10 OS: *nix
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
48 - 26 = ?
Subscribe to this entry?

 [2012-02-29 16:00 UTC] bk2 at me dot com
Using the redirect option in curl is disabled if safemode OR open_basedir are
et. open_basedir is explicitly about filesystem access.

No conceivable interpretation is to stop redirection.

Function below simply redirects to Error page.
(function courtesy of Paypal utility.php, via free license)
Using it raises error "CURLOPT_FOLLOWLOCATION" disabled by safe mode or 
open_basedir is set.

Meaning you cant redirect if open_basedir is s, at least not via Curl.

The intent might be to plug some obscure hole, but the effect for anyone needing
to use cURL is to cause them NOT to set open_basedir, and hence lose all 
protection it might offer.
There is nothing in the Curl or open_basedir documentation to indicate this
is the intent of PHP.NET 

Test script:
// any test script calling for curl redirect
PPError("Testmsg", 0);

function PPError($error_msg, $error_no) {
		// create a new curl resource
		$ch = curl_init();

		// set URL and other appropriate options
		$php_self = substr(htmlspecialchars($_SERVER["PHP_SELF"]), 1); // remove the leading /
		$redirectURL = Utils::getURL("/error.php");
		curl_setopt($ch, CURLOPT_URL, $redirectURL);
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

		// set POST fields
		$postFields = "error_msg=".urlencode($error_msg)."&error_no=".urlencode($error_no);
		curl_setopt($ch, CURLOPT_POST, true);

		// grab URL, and print

Expected result:
Redirect to page

Actual result:
raises error (paraphrased)
"CURLOPT_FOLLOWLOCATION" disabled by safe mode or open_basedir is set


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-12 18:25 UTC]
-Status: Open +Status: Duplicate
 [2014-02-12 18:25 UTC]
This check has a reason behind it, but with a modern libcurl version, this check can be skipped, as curl by default will reject file:// location responses.
This is already implemented and will probably land with PHP 5.6:
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Sep 21 17:01:25 2023 UTC