вот нашел
http://groups.google.pl/group/mailing.unix.bugtraq/browse_thread/thread/fad2925061ad312d
PHP 5.2.5 cURL safe_mode bypass
The first issue [SAFE_MODE bypass]
var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));
the last step in curl_init() function will only copy file://safe_mode_bypass to urlcopy.
The main problem exists in php_url_parse_ex() function. If you put in curl_init() "file://host/somewhere/path.php", php_url_parse_ex() will select /somewhere/path.php to path varible. Looks good but it cannot be used, when you will check real path. Using file:///etc/passwd is correct but between file:// and /etc/passwd, php_url_parse_ex() will select host and return path to /passwd.

как норм запрос составить
делаю var_dump(curl_exec(curl_init("file://etc/passwd")));
белая страница с надписью bool(false)
как я понел файл должен скопироваться?