Description

Currently the config in options passed to some functions is not checked if it is inside open_basedir restriction. This should be probably fixed just in master as it is not usually a big issue considering that the config is basically read only and some user flows might have relied on it being in the system path so we don't want to break them in a patch release. However we should still confirm to the open_basedir rules and prohibit it in master branch. One thing to note that this should not be applied on the default path as it would be too big break for not a big gain.

The following code:

<?php
// cert path (existing cert)
$config= "$file_path/openssl.cnf";

ini_set('open_basedir', "$file_path/config");

$pkey= openssl_pkey_new([
    'config' => $config
]);

var_dump($pkey);

Resulted in this output:

object...

But I expected this output instead:

possibly warning
bool(false)

PHP Version

Any

Operating System

Any