Bug #42952 [Com]: soap cache file is created with insecure permissions on some configurations

Tue, 18 Sep 2012 03:05:57 -0700 

Edit report at https://bugs.php.net/bug.php?id=42952&edit=1

 ID:                 42952
 Comment by:         joey dot cai at gmail dot com
 Reported by:        glen at delfi dot ee
 Summary:            soap cache file is created with insecure permissions
                     on some configurations
 Status:             Closed
 Type:               Bug
 Package:            SOAP related
 Operating System:   PLD Linux
 PHP Version:        5.2.4
 Assigned To:        dmitry
 Block user comment: N
 Private report:     N

 New Comment:

The original diff is no longer available since cvs.php.net is long gone. But 
according to the git log. This patch introduced a bug that only the creator of 
the cache file can access it. Users with different UIDs have no permission. I 
think both #51407 and #61094 point to the same thing.

I saw from the comments that you talked about keeping user id (getuid()) in the 
cache filename, but somehow that doesn't show up in the code. Can you check 
that, @dmitry? Thank you


Previous Comments:
------------------------------------------------------------------------
[2007-11-23 10:06:21] [email protected]

Fixed in CVS HEAD and PHP_5_3.

http://cvs.php.net/viewvc.cgi/php-src/ext/soap/php_sdl.c?r1=1.88.2.12.2.9&r2=1.88.2.12.2.9.2.1&diff_format=u


------------------------------------------------------------------------
[2007-11-01 16:10:26] glen at delfi dot ee

That would be fine (at least not closed as bogus).

Distributions are free to backport changes they like :)

------------------------------------------------------------------------
[2007-11-01 14:14:14] [email protected]

I thought about it.
It may be good for php-5.3.0, but I don't like to make such change in 5.2.*

------------------------------------------------------------------------
[2007-11-01 14:10:02] glen at delfi dot ee

So perhaps keep user id (getuid()) in the cache filename?

------------------------------------------------------------------------
[2007-11-01 13:32:18] [email protected]

Even one SAPI in shared environment will have the same issue.
If you have several php-cgi processes with different UID, only one of them will 
own the cache file, and all others won't be able to access it.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=42952


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=42952&edit=1

Reply via email to