From: yurtesen at ispro dot net Operating system: FreeBSD PHP version: 5.2.4 PHP Bug Type: Session related Bug description: session.save_path IN PHP.INI does not override open_basedir
Description: ------------ In shared hosting environment the hosts shouldnt be able to read each other's session files. Earlier it was possible to set session.save_path in php.ini and session_start(); would create the session files even outside the open_basedir restrictions. This is useful to allow users to create sessions yet not able to read them directly using file functions. Also disallows sites to read each other's session files which can include session data. If sites were defined with open_basedir = /var/tmp:/home/site.com then each site could read each other's session files. Unless there was different session.save_paths for each site also. Which is impractical. It should be safe to let the value in php.ini to override open_basedir. The security bug "Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Stas, Maksymilian Arciemowicz)" effects values being changed using .htaccess files only. The main server php.ini file should be safe to use! Reproduce code: --------------- set open_basedir to /somewhere set session.save_path to /anotherplace <?php session_start(); ?> Expected result: ---------------- session file created in /anotherplace Actual result: -------------- Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/anotherplace) is not within the allowed path(s): -- Edit bug report at http://bugs.php.net/?id=42894&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=42894&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=42894&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=42894&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=42894&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=42894&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=42894&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=42894&r=needscript Try newer version: http://bugs.php.net/fix.php?id=42894&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=42894&r=support Expected behavior: http://bugs.php.net/fix.php?id=42894&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=42894&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=42894&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=42894&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42894&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=42894&r=dst IIS Stability: http://bugs.php.net/fix.php?id=42894&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=42894&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=42894&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=42894&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=42894&r=mysqlcfg
