> I was wondering why CURLOPT_FOLLOWLOCATION requires open_basedir and 
> safe_mode to be turned off.
> The following was found in the changelog(http://www.php.net/ChangeLog-5.php):
> Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are 
> enabled. (Stefan E., Ilia)

I'm guessing that it would allow CURL to follow a link if a server returned a 
301 or 302 redirect.

For example, a PHP script consumes a web service or fetches a webpage from 
another server, then all of a sudden that remote server sends a 301/302 
redirect to a malicious page, CURL would then follow the redirect instead of 
returning an error.

If a server admin is paranoid enough to use safe_mode, they probably wouldn't 
want that to happen (note saying that being paranoid is a bad thing, but I've 
been managing PHP systems for years without safe_mode or open_basedir and never 
had an issue, but I can see why hosting providers may enable it.)

I can't see any conceivable benefit to this restriction when using 
open_basedir, as I thought that related to the local file system - unless CURL 
can use file:// URLs to access the local system?

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to