--- ext/curl/curl.c	2005-06-02 23:05:06.000000000 +0200
+++ ext/curl/curl.c	2005-10-17 04:42:51.000000000 +0200
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: curl.c,v 1.124.2.30 2005/06/02 21:05:06 tony2001 Exp $ */
+/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -66,7 +66,7 @@
 #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
 
 #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len)													\
-	if (PG(open_basedir) && *PG(open_basedir) &&                                                \
+	if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&                                                \
 	    strncasecmp(str, "file://", sizeof("file://") - 1) == 0)								\
 	{ 																							\
 		php_url *tmp_url; 																		\
@@ -76,7 +76,7 @@
 			RETURN_FALSE; 																		\
 		} 																						\
 																								\
-		if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || 									\
+		if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || 									\
 			(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))	\
 		) { 																					\
 			php_url_free(tmp_url); 																\
@@ -992,10 +992,15 @@
 				
 					postval = Z_STRVAL_PP(current);
 					if (*postval == '@') {
+						++postval;
+						/* safe_mode / open_basedir check */
+						if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+							RETURN_FALSE;
+						}
 						error = curl_formadd(&first, &last, 
 											 CURLFORM_COPYNAME, string_key,
 											 CURLFORM_NAMELENGTH, (long)string_key_len - 1,
-											 CURLFORM_FILE, ++postval, 
+											 CURLFORM_FILE, postval, 
 											 CURLFORM_END);
 					}
 					else {