php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42077 Why have the session folder in open_basedir
Submitted: 2007-07-23 08:00 UTC Modified: 2007-08-16 21:03 UTC
Votes:5
Avg. Score:4.8 ± 0.4
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: spam2 at rhsoft dot net Assigned: stas (profile)
Status: Closed Package: Session related
PHP Version: 5CVS-2007-07-23 (snap) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2007-07-23 08:00 UTC] spam2 at rhsoft dot net 
Description:
------------
The Session-Save-Dir MUST NOT be in open_basedir because scripts must not read session files for security!

And a failed session_start() have not to be fatal error too


Warning: session_start() [function.session-start.php]: open_basedir
restriction in effect. File(/var/www/sessiondata) is not within the
allowed path(s):
(/mnt/data/www/www.rhsoft.net:/mnt/data/www/phpincludes:/usr/share/pear:/var/www/uploadtemp)
in /mnt/data/www/www.rhsoft.net/test.php on line 2

Fatal error: session_start() [<a
href='http://at.php.net/manual/de/function.session-start.php'>function.session-start.php</a>]:
Failed to initialize storage module: files (path: /var/www/sessiondata)
in /mnt/data/www/www.rhsoft.net/test.php on line 2

Reproduce code:
---------------
<?php
 session_start();
?>

Expected result:
----------------
A started session

Actual result:
--------------
A killed script

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-07-23 09:12 UTC] jani@php.net 
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3378 for why.
 [2007-07-25 14:31 UTC] jani@php.net 
Re-opening and assign to Stas who has something cooking up for this.
 [2007-07-28 13:45 UTC] harry at rhsoft dot net 
Is there any change?
The downloaded snapshot contains following in "news.txt"
Fixed session.save_path and error_log values to be checked against
open_basedir and safe_mode (CVE-2007-3378) 


If this change goes in php 5.2.4 final it will break many setups 
"session.save_path" and "error_log" set by admin in php.ini must not checked against open_basedir 

If you have 100 virtual hosts with open_basedir for each per <Directory> and the server is configured for one central errorlog and one central session.save_path all hosts will crash.

You must check changig this in .htaccess/ini_set() against open_basedir but not on the global configuration.

A script has not to look in the session-dir because in worst case it can read ALL session-files and display the content - so open_basedir has to block this and did it before the change.
 [2007-08-03 18:13 UTC] harry at rhsoft dot net 
Nice - The bug is present and you make a release candidate?
Aug 2007, PHP 5.2.4
02 Aug 2007, PHP 5.2.4RC1

Hopefully this is a joke......

If this will go to final i need a address to send a bill for changing 200 Host-Files on some servers!

Need to make for each one a session-directory and set it to open_basedir or a stupid global configuration that allows scripts reading of all session-files from other users too.

But what should we do with global error_log?
Give all Hosts access to the log-folder? NO - Never!
 [2007-08-07 00:25 UTC] jani@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

AFAIK, this is now fixed. Please try the snapshot.
 [2007-08-07 08:55 UTC] harry at rhsoft dot net 
Yes seems to work correct

<?php
 session_start();
 echo $a;
 phpinfo();
?>

Notice: Undefined variable: a in /mnt/data/www/www.rhsoft.net/test.php on line 3
PHP Version 5.2.4RC1-dev

__________

Session was started with a save-path outside open_basedir
The Warning-Message was written in the global error_log also outside open_basedir
 [2007-08-16 20:28 UTC] phpbugs at thequod dot de 
I can confirm that the bug is fixed, too.
Thank you.
 [2007-08-16 21:03 UTC] stas@php.net 
I've fixed it to work as before and only check open_basedir if set by user in runtime or .htaccess. 

P.S. yes it was in rc1. But not in rc2 and won't be in 5.2.4. If you still see it in 5.2 CVS cry aloud.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 15:01:29 2024 UTC