Summary: | safe_mode = on and session_start() in php-5.2.3-r3 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jonas Pedersen <jonas> |
Component: | Current packages | Assignee: | PHP Bugs <php-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hermelin |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Jonas Pedersen
2007-08-01 12:41:56 UTC
I have same problem Portage 2.1.2.9 (default-linux/amd64/2007.0, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17.14 x86_64) ================================================================= System uname: 2.6.17.14 x86_64 AMD Opteron(tm) Processor 246 Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 31 Jul 2007 16:30:11 +0000 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php4/ext-active/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=opteron -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X509 accessibility acl acpi adns aim amd64 apache2 apm berkdb bitmap-fonts bzlib calendar chroot cli cracklib crypt cscope ctype curl curlwrappers dba dbm dbx dedicated dio dri erandom exif fam fastcgi fftw flatfile foomaticdb fortran freedts ftp gd gdbm gif gps imap imlib inifile innodb ipv6 isdnlog ithreads jabber jikes jpeg justify kerberos libedit libwww maildir mailwrapper mbox mcal mcve memlimit mhash midi mime ming mmap mmx mng msession mudflap mysql mysqli ncurses nis nls nocardbus nptl nptlonly odbc offensive openmp pam pcntl pcre pdflib perl php png posix pppd prelude pwdb python readline recode reflection sasl session sftplogging simplexml skey slang snmp sockets spell spl sse sse2 ssl sysvipc szip tcpd threads tidy tiff tokensizer truetype-fonts type1-fonts unicode usb vhosts wmf xml xml-rpc xml2 xorg xsl zeo zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS The is not a bug, it's intended behaviour per upstream patch and the ebuild explicitely points you to this and tells you what to do. <snip> if use session; then elog "When using open_basedir in conjunction with the session extension" elog "make sure you add the value of session.save_path to open_basedir as" elog "well, e.g.: with session.save_path=/tmp (default) you should have" elog "open_basedir=/your/usual/webdir/:/tmp/" fi </snip> That is what you get from not reading all the output from the emerge :-) Actually I was not sure if this was a bug or intended feature. If I read bug #42077 at bugs.php.net (http://bugs.php.net/bug.php?id=42077) I can see that it is still open as the behavior of the patch still might change. This is due to the problems having session.save_path included in open_basedir, as it allows all scripts to read all session files, if all sessions files for the virtual hosts are stored in the same directory. And this is not a good idea. I can also see the problem by not having this patch included due to CVE-2007-3378 (this one is mentioned in the bug). Shrug; upstream really should do a quick security release, instead of forcing distributions to patch PHP to hell until they release something. :/ Upstream has completely new code to solve the security issue in cvs now and we packaged it as php-5.2.4_pre200708051230-r1 (in the php-testing overlay). Could you please test and verify that the bug (more exactly: behaviour change) is fixed there? I can confirm that my simple test script is working as expected with php-5.2.4_pre200708051230-r1. 5.2.4_pre200708051230-r2 committed. |