From 3d497a4f7f7ef8013be14ee18403c42c8cee737e Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Tue, 31 Jan 2006 10:57:52 +0000
Subject: [PATCH] fix #36223 (curl bypasses open_basedir restrictions)

---
 NEWS            | 1 +
 ext/curl/curl.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 8f8c450e14..6aa4eaf013 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, Version 4.4.3
 - Added a check for special characters in the session name. (Ilia)
+- Fixed bug #36223 (curl bypasses open_basedir restrictions). (Tony)
 - Fixed bug #36148 (unpack("H*hex", $data) is adding an extra character to the 
   end of the string). (Ilia)
 - Fixed bug #36017 (fopen() crashes PHP when opening a URL). (Tony)
diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index b125e23cbd..931aafaeb4 100644
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -159,7 +159,7 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
 
 #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len)													\
 	if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&                                                \
-	    strncasecmp(str, "file://", sizeof("file://") - 1) == 0)								\
+	    strncasecmp(str, "file:", sizeof("file:") - 1) == 0)								\
 	{ 																							\
 		php_url *tmp_url; 																		\
 																								\
-- 
2.50.1