Avoid CURLOPT_FOLLOWLOCATION w/ restricted basedir

mollie / reseller-api

Reseller API voor het aanmaken en beheren van Mollie-accounts

https://www.mollie.com/

BSD 2-Clause "Simplified" License

13 stars 4 forks source link

Avoid CURLOPT_FOLLOWLOCATION w/ restricted basedir #28

Closed firstred closed 6 years ago

firstred commented 6 years ago

When the open_basedir restriction is in effect, the CURLOPT_FOLLOWLOCATION option cannot be set. This line would previously generate a warning with open_basedir` restrictions.

willemstuursma commented 6 years ago

That's a really weird limitation! I guess it is to prevent reading files by redirecting to the file:// scheme.

We don't need to follow redirects for this API endpoint. Can you remove this call to curl_setop() competely.

firstred commented 6 years ago

Indeed, it looks like it could be used to circumvent basedir restrictions by using symlinks. Perhaps the cURL extension team didn't have enough time/knowledge to patch the cURL library enough to make it secure. I'll remove the call in a sec!

firstred commented 6 years ago

Removed!

willemstuursma commented 6 years ago

Thanks @firstred. Though I am surprised that anyone is still using this.

firstred commented 6 years ago

It is configured by default on Plesk.