ID: 42077 Comment by: phpbugs at thequod dot de Reported By: spam2 at rhsoft dot net Status: No Feedback Bug Type: Session related Operating System: Linux PHP Version: 5CVS-2007-07-23 (snap) Assigned To: stas New Comment:
I can confirm that the bug is fixed, too. Thank you. Previous Comments: ------------------------------------------------------------------------ [2007-08-14 01:00:00] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". ------------------------------------------------------------------------ [2007-08-07 08:55:38] harry at rhsoft dot net Yes seems to work correct <?php session_start(); echo $a; phpinfo(); ?> Notice: Undefined variable: a in /mnt/data/www/www.rhsoft.net/test.php on line 3 PHP Version 5.2.4RC1-dev __________ Session was started with a save-path outside open_basedir The Warning-Message was written in the global error_log also outside open_basedir ------------------------------------------------------------------------ [2007-08-07 00:25:39] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi AFAIK, this is now fixed. Please try the snapshot. ------------------------------------------------------------------------ [2007-08-03 18:13:36] harry at rhsoft dot net Nice - The bug is present and you make a release candidate? Aug 2007, PHP 5.2.4 02 Aug 2007, PHP 5.2.4RC1 Hopefully this is a joke...... If this will go to final i need a address to send a bill for changing 200 Host-Files on some servers! Need to make for each one a session-directory and set it to open_basedir or a stupid global configuration that allows scripts reading of all session-files from other users too. But what should we do with global error_log? Give all Hosts access to the log-folder? NO - Never! ------------------------------------------------------------------------ [2007-07-28 13:45:07] harry at rhsoft dot net Is there any change? The downloaded snapshot contains following in "news.txt" Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) If this change goes in php 5.2.4 final it will break many setups "session.save_path" and "error_log" set by admin in php.ini must not checked against open_basedir If you have 100 virtual hosts with open_basedir for each per <Directory> and the server is configured for one central errorlog and one central session.save_path all hosts will crash. You must check changig this in .htaccess/ini_set() against open_basedir but not on the global configuration. A script has not to look in the session-dir because in worst case it can read ALL session-files and display the content - so open_basedir has to block this and did it before the change. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/42077 -- Edit this bug report at http://bugs.php.net/?id=42077&edit=1
