ID: 42894 Updated by: [EMAIL PROTECTED] Reported By: yurtesen at ispro dot net -Status: Open +Status: Feedback Bug Type: Session related Operating System: FreeBSD PHP Version: 5.2.4 New Comment:
Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi Previous Comments: ------------------------------------------------------------------------ [2007-10-08 21:11:52] yurtesen at ispro dot net Description: ------------ In shared hosting environment the hosts shouldnt be able to read each other's session files. Earlier it was possible to set session.save_path in php.ini and session_start(); would create the session files even outside the open_basedir restrictions. This is useful to allow users to create sessions yet not able to read them directly using file functions. Also disallows sites to read each other's session files which can include session data. If sites were defined with open_basedir = /var/tmp:/home/site.com then each site could read each other's session files. Unless there was different session.save_paths for each site also. Which is impractical. It should be safe to let the value in php.ini to override open_basedir. The security bug "Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Stas, Maksymilian Arciemowicz)" effects values being changed using .htaccess files only. The main server php.ini file should be safe to use! Reproduce code: --------------- set open_basedir to /somewhere set session.save_path to /anotherplace <?php session_start(); ?> Expected result: ---------------- session file created in /anotherplace Actual result: -------------- Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/anotherplace) is not within the allowed path(s): ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42894&edit=1
