ID: 38670
Updated by: [EMAIL PROTECTED]
Reported By: serokka at hrn dot ru
-Status: Open
+Status: Feedback
Bug Type: *Configuration Issues
Operating System: FreeBSD 4.10
PHP Version: 4.4.4
New Comment:
>And i m affraid you should install FreeBSD
Did you really try an other system or are you saying that because you
tested it only on Fbsd ?
Previous Comments:
------------------------------------------------------------------------
[2006-09-17 11:30:17] serokka at hrn dot ru
I gonna say, that this problem stands still from the start of 4.4
branch (4.4.1, 4.4.2 also).
And i m affraid you should install FreeBSD.
Some steps to repro:
1) FreeBSD 4.9-4.11
2) Apache 2.0.54 prefork (1 VirtualHost in main conf file + 30-40 in
included conf file, open_basedir setting in each entry)
3) PHP 4.4.x as module
Result: We have mentioned warning (1 per 20 refreshes of a page),
pointing to the first open_basedir value of included conf file (i.e.
second VirtualHost!). It appears at displaying ANY file even simple
HTML (without php and no .htaccess)!
------------------------------------------------------------------------
[2006-09-17 10:19:18] [EMAIL PROTECTED]
Can't replicate it on Linux with Apache2/prefork and worker.
Please check if you can reproduce it with PHP 4.4.2 (there was a change
in 4.4.3 that I suspect might have affected it).
------------------------------------------------------------------------
[2006-09-16 10:23:17] serokka at hrn dot ru
Also I have made a test, copying new ext/session (php 4.4.4) to old
distributive (4.3.11), but i haven't got this Warning.
It seems to be a bug in Apache per VirtualHost php runtime settings at
4.4 branch.
------------------------------------------------------------------------
[2006-09-16 08:47:36] serokka at hrn dot ru
I have checked the diffs of session.c implementations between 4.3.11
and php4-latest-snapshot, here is the same that brought my attention.
As i understand correctly, there is implementation of checking
boundaries such as open_basedir at runtime if it was got from Apache
VirtualHost section.
So, the problem was from the beginning of 4 branch??? Is there a
security leak, cause sessions sometimes got their paths from other
VirtualHost???
------------------------------------------------------------
@@ -117,6 +117,20 @@ static PHP_INI_MH(OnUpdateSerializer)
return SUCCESS;
}
+static PHP_INI_MH(OnUpdateSaveDir) {
+ /* Only do the safemode/open_basedir check at runtime */
+ if(stage == PHP_INI_STAGE_RUNTIME) {
+ if (PG(safe_mode) && (!php_checkuid(new_value, NULL,
CHECKUID_ALLOW_ONLY_DIR))) {
+ return FAILURE;
+ }
+
+ if (php_check_open_basedir(new_value TSRMLS_CC)) {
+ return FAILURE;
+ }
+ }
+ OnUpdateString(entry, new_value, new_value_length, mh_arg1,
mh_arg2, mh_arg3, stage TSRMLS_CC);
+ return SUCCESS;
+}
/* {{{ PHP_INI
*/
@@ -124,9 +138,9 @@ PHP_INI_BEGIN()
STD_PHP_INI_BOOLEAN("session.bug_compat_42", "1",
PHP_INI_ALL, OnUpdateBool, bug_compat, php_ps_glo
bals, ps_globals)
STD_PHP_INI_BOOLEAN("session.bug_compat_warn", "1",
PHP_INI_ALL, OnUpdateBool, bug_compat_warn, php_ps_glo
bals, ps_globals)
#ifdef PHP_WIN32
- STD_PHP_INI_ENTRY("session.save_path", "",
PHP_INI_ALL, OnUpdateString, save_path, php_ps_globals
, ps_globals)
+ STD_PHP_INI_ENTRY("session.save_path", "",
PHP_INI_ALL, OnUpdateSaveDir,save_path, php_ps_glo
bals, ps_globals)
#else
- STD_PHP_INI_ENTRY("session.save_path", "/tmp",
PHP_INI_ALL, OnUpdateString, save_path, php_ps_glo
bals, ps_globals)
+ STD_PHP_INI_ENTRY("session.save_path", "/tmp",
PHP_INI_ALL, OnUpdateSaveDir,save_path, php_ps_glo
bals, ps_globals)
#endif
STD_PHP_INI_ENTRY("session.name", "PHPSESSID",
PHP_INI_ALL, OnUpdateString, session_name, php_ps_glo
bals, ps_globals)
PHP_INI_ENTRY("session.save_handler", "files",
PHP_INI_ALL, OnUpdateSaveHandler)
------------------------------------------------------------------------
[2006-09-16 07:56:20] serokka at hrn dot ru
With the latest snapshot we have the same problem.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/38670
--
Edit this bug report at http://bugs.php.net/?id=38670&edit=1
