ID: 21632
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Feedback
+Status: Open
Bug Type: Session related
Operating System: Slackware8.1/kernel2.4.19grsecur
PHP Version: 4.2.3
New Comment:
I've read the HOW TO REPORT A BUG and except this is the old 4.2.3
version, I don't think the description of the bug was not so precise.
So, if you need a sample of code :
Under the htdocs of Apache, there is a PHP page with this :
==========================================================
// INCLUDE A FILE WITH A $path var handling a
// directory not in the apache web-root
// (/usr/local/apache/scripts-php) for security reasons
include_once("ini.php");
// Include a PHP page with functions not in the apache web
//root
include_once("$path/fonctions_mysql.php");
...
...
echo "<a href="toto.php">"; // PERFECTLY TRANS-SID modified
...
// DISPLAY A NAVIG TEXT WITH LINKS NOT MODIFIED BY TRANS-SID
getNavigationBar($cle_temp, $cle_dossier, 0, $maxLocalisation);
...
==========================================================
And in the fonctions_mysql.php under /usr/local/apache/scripts-php (not
the apache web root so) :
function getNavigationBar($key, $cleDossier, $currentLocalisation,
$maxLocalisation){
$navigation[0] =
"coordonn�es|http://minisites.nordnet.fr/generateur_mini_site/coordonnees.php?cle_temp=$key";;
$navigation[1] = "choix du
site|http://minisites.nordnet.fr/generateur_mini_site/type_site.php?cle_temp=$key&localisation=site";;
$navigation[2] = "pages du
site|http://minisites.nordnet.fr/generateur_mini_site/type_site.php?cle_temp=$key&localisation=info_site";;
if($maxLocalisation != null){
echo "you are here: ";
for($i=0; $i<count($navigation); $i++){
if(!$activee[$i]){
continue;
}
$nomEtape = strtok($navigation[$i],"|");
$url = strtok("|"); // GET THE URL BY STRTOKIN' THE |
// DISPLAY THE LINK BUT IT IS NOT MODIFIED BY TRANS-SID TO
INCLUDE
THE SESSION ID
echo ">> <a href=\"$url\">$nomEtape</a> ";
}
}
}
}
?>
Previous Comments:
------------------------------------------------------------------------
[2003-01-14 05:35:52] [EMAIL PROTECTED]
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php
If you can provide more information, feel free to add it
to this bug and change the status back to "Open".
Thank you for your interest in PHP.
------------------------------------------------------------------------
[2003-01-14 05:28:24] [EMAIL PROTECTED]
Hi,
I've noticed a fact. I don't know if it's a bug or a normal stuff.
The website is in /usr/local/apache/htdocs and there the links in the
php pages are automatically modified by --enable-trans-sid.
But, in this pages, I call a function in a php file not present under
the htdocs repository but in /usr/local/apache/scripts-php for security
reasons (mysql password...) and there is a function that take a session
value to display a navigation bar writing links. Those links are not
post-processed by trans-sid.
Is this a bug or a normal stuff ?
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=21632&edit=1
