"Curt Zirzow" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > * Thus wrote Rx ([EMAIL PROTECTED]): > > Theres absolutely no control over session.save_path parameter in php. By > > setting it to every directory he wants, every user can: > > You can set the value with > php_admin_value save_path "/tmp"
If i set php_admin_value, user STILL can change the value with ini_set()! I tested it. php_admin_value only prevents changing value from .htaccess file. Actually this also make sense for me, values set by php_admin_value shouldnt be allowed to change ever. > > > > > 1. (!!!) Absolutely easily generate new sessions with any content for every > > site on server. > > prevented with open_basedir. Can you demonstrate how you expect to > do this? Using open_basedir most can also resovle this issue. > You didnt understand. I change save.session_path to other's site session directory, do session_start(), write every variable what i want, write down session number, go to this site and using this generated session. You cannt prevent this ever! > > 2. Delete other users sessions by setting gc to 100 and probably legal files > > starting with sess_*. > > This might be a valid point if you also mention that if the user > sets gc_maxlifetime to a value of 1 or lower than cache_expire, > and the gc_probablity at 100. Although I havn't tested, and > probably should be. > > I'm also not sure but technically gc_maxlifetime should never be > lower than cache_expire, if this is the case then there no issues > with setting gc_probablity to 100, cept for a bunch of overhead for > the users script. > Hm, what the connection with cache_expire? User set gc to 100 and maxlifetime to 1 sec, then that script will delete every session in directory. > > > 3. Flood every http server writable directory with thousands or millions > > files. > > Don't allow the person to create files. That is the only way to > prevent a user of doing this regardless of the save_path parameter. > No, its not a valid point. Every user can access only certain directory with apache permissions or with his own. And i know which directory belongs to whom. However with session.save_path user can flood EVERY directory on server, and even i wont know which user did that! > > > > session.save_path should be controlled under open_basedir variable or some > > other mechanism. > > Perhaps a better solution would be to have a php.ini setting for > disabling ini settings: > > disable_ini session.save_path,session.gc_maxlifetime > Well i agree, that should be done too. > > > Curt > -- > "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php