Because path = expand_filepath(filename, NULL TSRMLS_CC); will change "http://../../../etc/passwd" to path=/etc/passwd
(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path "http://../../../etc/passwd". http:// is using in php_checkuid_ex(), so safe_mode is bypassed.
Comment