ID: 42077 Comment by: harry at rhsoft dot net Reported By: spam2 at rhsoft dot net Status: Assigned Bug Type: Session related Operating System: Linux PHP Version: 5CVS-2007-07-23 (snap) Assigned To: stas New Comment:
Nice - The bug is present and you make a release candidate? Aug 2007, PHP 5.2.4 02 Aug 2007, PHP 5.2.4RC1 Hopefully this is a joke...... If this will go to final i need a address to send a bill for changing 200 Host-Files on some servers! Need to make for each one a session-directory and set it to open_basedir or a stupid global configuration that allows scripts reading of all session-files from other users too. But what should we do with global error_log? Give all Hosts access to the log-folder? NO - Never! Previous Comments: ------------------------------------------------------------------------ [2007-07-28 13:45:07] harry at rhsoft dot net Is there any change? The downloaded snapshot contains following in "news.txt" Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) If this change goes in php 5.2.4 final it will break many setups "session.save_path" and "error_log" set by admin in php.ini must not checked against open_basedir If you have 100 virtual hosts with open_basedir for each per <Directory> and the server is configured for one central errorlog and one central session.save_path all hosts will crash. You must check changig this in .htaccess/ini_set() against open_basedir but not on the global configuration. A script has not to look in the session-dir because in worst case it can read ALL session-files and display the content - so open_basedir has to block this and did it before the change. ------------------------------------------------------------------------ [2007-07-25 14:31:47] [EMAIL PROTECTED] Re-opening and assign to Stas who has something cooking up for this. ------------------------------------------------------------------------ [2007-07-23 09:12:07] [EMAIL PROTECTED] See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3378 for why. ------------------------------------------------------------------------ [2007-07-23 08:00:31] spam2 at rhsoft dot net Description: ------------ The Session-Save-Dir MUST NOT be in open_basedir because scripts must not read session files for security! And a failed session_start() have not to be fatal error too Warning: session_start() [function.session-start.php]: open_basedir restriction in effect. File(/var/www/sessiondata) is not within the allowed path(s): (/mnt/data/www/www.rhsoft.net:/mnt/data/www/phpincludes:/usr/share/pear:/var/www/uploadtemp) in /mnt/data/www/www.rhsoft.net/test.php on line 2 Fatal error: session_start() [<a href='http://at.php.net/manual/de/function.session-start.php'>function.session-start.php</a>]: Failed to initialize storage module: files (path: /var/www/sessiondata) in /mnt/data/www/www.rhsoft.net/test.php on line 2 Reproduce code: --------------- <?php session_start(); ?> Expected result: ---------------- A started session Actual result: -------------- A killed script ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42077&edit=1