Hi, > I was wondering why CURLOPT_FOLLOWLOCATION requires open_basedir and > safe_mode to be turned off. > > The following was found in the changelog(http://www.php.net/ChangeLog-5.php): > > Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are > enabled. (Stefan E., Ilia)
I'm guessing that it would allow CURL to follow a link if a server returned a 301 or 302 redirect. For example, a PHP script consumes a web service or fetches a webpage from another server, then all of a sudden that remote server sends a 301/302 redirect to a malicious page, CURL would then follow the redirect instead of returning an error. If a server admin is paranoid enough to use safe_mode, they probably wouldn't want that to happen (note saying that being paranoid is a bad thing, but I've been managing PHP systems for years without safe_mode or open_basedir and never had an issue, but I can see why hosting providers may enable it.) I can't see any conceivable benefit to this restriction when using open_basedir, as I thought that related to the local file system - unless CURL can use file:// URLs to access the local system? Regards, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
