Re: [PHP] Why does CURLOPT_FOLLOWLOCATION require open_basedir to be turned off?
I can't see any conceivable benefit to this restriction when using open_basedir, as I thought that related to the local file system - unless CURL can use file:// URLs to access the local system? That's the problem. I always use open_basedir (not all the sites on my servers are safe enough). And that so called security restriction just makes me fury (unless I don't see significant reasons for it). So, in order not to irritate my nervous system every time somebody asks me to unset open_basedir for CURL I decided to find the roots of that PHP developers' action. And I don't think it's related to the local file system: there is another option that restricts protocols while redirecting, CURLOPT_REDIR_PROTOCOLS, which allows by default all the protocols supported by CURL, but file and scp. So this kind of restriction (do not follow file:// while redirecting) would make sense, but not disabling FOLLOWLOCATION at all. Either they had a better reason or they messed up a bit :) Still trying to find a better explanation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Why does CURLOPT_FOLLOWLOCATION require open_basedir to be turned off?
Hi, > I was wondering why CURLOPT_FOLLOWLOCATION requires open_basedir and > safe_mode to be turned off. > > The following was found in the changelog(http://www.php.net/ChangeLog-5.php): > > Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are > enabled. (Stefan E., Ilia) I'm guessing that it would allow CURL to follow a link if a server returned a 301 or 302 redirect. For example, a PHP script consumes a web service or fetches a webpage from another server, then all of a sudden that remote server sends a 301/302 redirect to a malicious page, CURL would then follow the redirect instead of returning an error. If a server admin is paranoid enough to use safe_mode, they probably wouldn't want that to happen (note saying that being paranoid is a bad thing, but I've been managing PHP systems for years without safe_mode or open_basedir and never had an issue, but I can see why hosting providers may enable it.) I can't see any conceivable benefit to this restriction when using open_basedir, as I thought that related to the local file system - unless CURL can use file:// URLs to access the local system? Regards, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
