ID: 33072
Comment by: zxqc2 at dunc dot com dot au
Reported By: andrey at ruweb dot net
Status: Open
Bug Type: Safe Mode/open_basedir
PHP Version: 5.0.4, 4.3.11
New Comment:
session_save_path also does not perform the open_basedir check.
It does seem reasonable to allow access to the default
session.save_path set by the ISP (even if not within the allowable
open_basedir path) - which PHP does allow.
However when a script attempts to change it through
session_save_path(...) it would make sense to perform this check to
prevent access to session directories of other virtual hosts.
I am aware that similar issues have been discussed before, and also
that there are better ways to secure sessions, but I thought I'd
mention it here for the record.
Previous Comments:
------------------------------------------------------------------------
[2005-05-19 23:21:34] andrey at ruweb dot net
Description:
------------
(Sorry, I didn't found any reports about that issue. Can't believe
nobody reported this yet!)
ini_set('session.save_path','...') works great - it produces an error
when user is trying to set session.save_path to directory owned by
another user.
But why session_save_path doesn't perform safe_mode checks?
For now with session_save_path any server user can quietly substitute
session contents at any site located at the same server if he knows the
path to directory where that site's session files stored. :(
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=33072&edit=1
