Hi, this is the first time I start a personal conversation
I just wanted to thank you for your calm and brilliant explanation of the “security issue”. David removed the thread as a flame war. If you’d want to place your answer elsewhere, on a github issue like https://github.com/mautic/mautic/issues/2034 perhaps, I saved it for you:
It's one of the principle means of preventing any XSS or rogue PHP vulnerability causing damage systemwide. Don't take my word for it, here's an explanation on PHP's site what it's supposed to prevent (https://secure.php.net/manual/en/ini.core.php#ini.open-basedir) or just look in the image above. Open_basedir is a poorman's "jail".
However, this supposed vulnerability doesn't work the way you think it does. If you don't know what a random generator is or what it does relating to this by accessing the entropy pool in urandom generated by devices drives simply running in kernel space, it's best to remain quiet. The discussion explains how the v2 version ignores the random generator in OpenSSL and uses the random generator from Linux's kernel space (/dev/urandom) instead. With a correctly locked down open_basedir restricted only to where PHP files reside, PHP rightly blocks access outside access except for the directories whitelisted which is good practices.