php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42894 session.save_path IN PHP.INI does not override open_basedir
Submitted: 2007-10-08 21:11 UTC Modified: 2007-10-11 14:39 UTC
From: yurtesen at ispro dot net Assigned:
Status: Closed Package: Session related
PHP Version: 5.2.4 OS: FreeBSD
Private report: No CVE-ID: None
 [2007-10-08 21:11 UTC] yurtesen at ispro dot net
Description:
------------
In shared hosting environment the hosts shouldnt be able to read each other's session files.

Earlier it was possible to set session.save_path in php.ini and session_start(); would create the session files even outside the open_basedir restrictions.

This is useful to allow users to create sessions yet not able to read them directly using file functions. Also disallows sites to read each other's session files which can include session data.

If sites were defined with open_basedir = /var/tmp:/home/site.com
then each site could read each other's session files. Unless there was different session.save_paths for each site also. Which is impractical.

It should be safe to let the value in php.ini to override open_basedir.

The security bug  "Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Stas, Maksymilian Arciemowicz)"  effects values being changed using .htaccess files only. The main server php.ini file should be safe to use!

Reproduce code:
---------------
set open_basedir to /somewhere
set session.save_path to /anotherplace

<?php
  session_start();
?>

Expected result:
----------------
session file created in /anotherplace

Actual result:
--------------
Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/anotherplace) is not within the allowed path(s):

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-11 14:39 UTC] yurtesen at ispro dot net
Moi
Weird thing is that it started working after I updated the php.ini perhaps I forgot to put session.save_path or somehow it was erased.
Sorry to bother,
Thanks,
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 21:01:27 2024 UTC