PHP :: Bug #42894 :: session.save_path IN PHP.INI does not override open

Bug #42894	session.save_path IN PHP.INI does not override open_basedir
Submitted:	2007-10-08 21:11 UTC	Modified:	2007-10-11 14:39 UTC
From:	yurtesen at ispro dot net	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	5.2.4	OS:	FreeBSD
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-10-08 21:11 UTC] yurtesen at ispro dot net

Description:
------------
In shared hosting environment the hosts shouldnt be able to read each other's session files.

Earlier it was possible to set session.save_path in php.ini and session_start(); would create the session files even outside the open_basedir restrictions.

This is useful to allow users to create sessions yet not able to read them directly using file functions. Also disallows sites to read each other's session files which can include session data.

If sites were defined with open_basedir = /var/tmp:/home/site.com
then each site could read each other's session files. Unless there was different session.save_paths for each site also. Which is impractical.

It should be safe to let the value in php.ini to override open_basedir.

The security bug  "Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Stas, Maksymilian Arciemowicz)"  effects values being changed using .htaccess files only. The main server php.ini file should be safe to use!

Reproduce code:
---------------
set open_basedir to /somewhere
set session.save_path to /anotherplace

<?php
  session_start();
?>

Expected result:
----------------
session file created in /anotherplace

Actual result:
--------------
Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/anotherplace) is not within the allowed path(s):

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-10-11 13:43 UTC] jani@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

[2007-10-11 14:39 UTC] yurtesen at ispro dot net

Moi
Weird thing is that it started working after I updated the php.ini perhaps I forgot to put session.save_path or somehow it was erased.
Sorry to bother,
Thanks,

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 13 06:01:32 2025 UTC