php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37627 session_save_directory checks wrong directory in safe mode
Submitted: 2006-05-29 12:34 UTC Modified: 2006-12-04 15:20 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bla at cs dot huji dot ac dot il Assigned:
Status: Closed Package: Session related
PHP Version: 5.1.4 OS: freebsd 6.1
Private report: No CVE-ID:
 [2006-05-29 12:34 UTC] bla at cs dot huji dot ac dot il
Description:
------------
When I run this command:

session_save_path("/var/spool/sessions");

I get:

session_save_path() [function.session-save-path]: SAFE MODE Restriction in effect. The script whose uid is 24713 is not allowed to access /var/spool

The information in the message is correct but I suppose the function should check /var/spool/sessions, not /var/spool. (note that /var/spool/session exists and has the right permissions so there's no need to modify /var/spool).

Probably the OnUpdateSaveDir() function in session.c should give a different flag to php_checkuid().




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-05-29 12:46 UTC] tony2001@php.net
>Note that /var/spool/session exists and has the right
> permissions so there's no need to modify /var/spool).

/var/spool/session or /var/spool/sessions ?
What if try this:
session_save_path("/var/spool/sessions/"); ?
 [2006-05-30 07:38 UTC] bla at cs dot huji dot ac dot il
This is the 3rd time I write this reply, it keeps disappearing after I submit it. Anyway:

Appending a '/' to the path fixes the problem, thanks.

However it should work even without a trailing '/' just like any other path related setting.
 [2006-12-04 15:20 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 07:02:14 2014 UTC