Why does CURLOPT_FOLLOWLOCATION require open_basedir to be turnedoff?

I was wondering why CURLOPT_FOLLOWLOCATION requires open_basedir and
safe_mode to be turned off.

The following was found in the
changelog(http://www.php.net/ChangeLog-5.php):

Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode
are enabled. (Stefan E., Ilia)

Also I read some forum posts about security restrictions blah-blah but
didn't find anything specific, unfortunately.

Can anybody explain the reasons of such a strange restriction or tell
what security issues raises CURLOPT_FOLLOWLOCATION when open_basedir is set?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Why does CURLOPT_FOLLOWLOCATION require open_basedir to be turned off?

Hi,

> I was wondering why CURLOPT_FOLLOWLOCATION requires open_basedir and =
safe_mode to be turned off.
>=20
> The following was found in the =
changelog(http://www.php.net/ChangeLog-5.php):
>=20
> Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode =
are enabled. (Stefan E., Ilia)

I'm guessing that it would allow CURL to follow a link if a server =
returned a 301 or 302 redirect.

For example, a PHP script consumes a web service or fetches a webpage =
from another server, then all of a sudden that remote server sends a =
301/302 redirect to a malicious page, CURL would then follow the =
redirect instead of returning an error.

If a server admin is paranoid enough to use safe_mode, they probably =
wouldn't want that to happen (note saying that being paranoid is a bad =
thing, but I've been managing PHP systems for years without safe_mode or =
open_basedir and never had an issue, but I can see why hosting providers =
may enable it.)

I can't see any conceivable benefit to this restriction when using =
open_basedir, as I thought that related to the local file system - =
unless CURL can use file:// URLs to access the local system?

Regards,
Andy=

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Why does CURLOPT_FOLLOWLOCATION require open_basedir tobe turned off?

> I can't see any conceivable benefit to this restriction when using open_basedir, as I thought that related to the local file system - unless CURL can use file:// URLs to access the local system?
That's the problem.
I always use open_basedir (not all the sites on my servers are safe
enough). And that so called security restriction just makes me fury
(unless I don't see significant reasons for it). So, in order not to
irritate my nervous system every time somebody asks me to unset
open_basedir for CURL I decided to find the roots of that PHP
developers' action.

And I don't think it's related to the local file system: there is
another option that restricts protocols while redirecting,
CURLOPT_REDIR_PROTOCOLS, which allows by default all the protocols
supported by CURL, but file and scp. So this kind of restriction (do not
follow file:// while redirecting) would make sense, but not disabling
FOLLOWLOCATION at all. Either they had a better reason or they messed up
a bit :)

Still trying to find a better explanation.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php