The libxml RSHUTDOWN function in PHP 5.x allows remote attackers to bypass the open_basedir protection mechanism and read arbitrary files via vectors involving a stream_close method call during use of a custom stream wrapper.
https://github.com/php/php-src/blob/master/ext/libxml/tests/bug61367-write.phpt
https://github.com/php/php-src/blob/master/ext/libxml/tests/bug61367-read.phpt