On Wed, Aug 27, 2008 at 11:59 PM, Stanislav Malyshev <[EMAIL PROTECTED]> wrote: > Hi! > >> ext/sessions/mod_files.c:281 has a hardcoded openbasedir-check >> skipping of "/tmp" path for storing session-files, if >> sessions.save_path is not manually set. > > I would think the idea was to make it easier on inexperienced users. Since > default AFAIK is /tmp, and it is highly unlikely that somebody would need to > hide /tmp from the users, it makes more scenarios to work out of the box. > >> Anyway, this looks like something done wrong from the beginning. >> Shouldn't "/tmp" be explicitly added to open_basedir list? Why should >> it have any special meaning? >> I propose to remove special treatment of "/tmp" (should be mentioned >> in upgrade-docs) > > Is there any problem that this treatment is causing? I.e. on Mac the default > is different, but that's not a problem of this treatment - it's rather > missing special treatment of /var/tmp on mac, I'd say :) So Mac users don't > get this boon, but is it the reason to remove it form other users?
Yes, it is in my opinion a flaw. It is the admin role to define a correct open_basedir set. Temporary directory should not be system wide in a shared hosting environment, especially not when the session are stored there by default. I don't think we should fix documentation problems by adding such tricks in a security related feature :) Cheers, -- Pierre http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
