PHP's cURL library doesn't allow following HTTP redirects when the server administrator has set open_basedir. This has produced questions on SO like curl follow location error with a lot of duplicates, and most answers are either "switch to a hosting provider that allows turning off open_basedir" or abstraction inversions that attempt (with varying levels of quality) to reimplement cURL's HTTP redirect logic in PHP.

I just wonder why the PHP developers chose to make them mutually exclusive in the first place. What security purpose does PHP's policy of refusing to follow redirects from one HTTP or HTTPS URI to another HTTP or HTTPS URI when the server administrator has set open_basedir serve?

It was originally implemented because libcurl didn't ignore Location: file:// redirects. Since curl also allows local file access this would have subverted the basedir constraints.

This designed "incompatibility" was loosened in more recent versions, btw:

• https://bugs.php.net/bug.php?id=65646
• https://github.com/php/php-src/commit/fba290c061027c24e4c8effdba37addd3430c3d4