Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:40113
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87412 invoked from network); 27 Aug 2008 21:58:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Aug 2008 21:58:43 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.163 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.163 il-gw1.zend.com Windows 2000 SP4, XP SP1
Received: from [212.25.124.163] ([212.25.124.163:19801] helo=il-gw1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B5/3E-03720-11EC5B84 for <internals@lists.php.net>; Wed, 27 Aug 2008 17:58:42 -0400
Received: from us-ex1.zend.com ([192.168.16.5]) by il-gw1.zend.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Thu, 28 Aug 2008 00:59:41 +0300
Received: from [192.168.16.110] ([192.168.16.110]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Wed, 27 Aug 2008 14:59:38 -0700
Message-ID: <48B5CE4A.7000807@zend.com>
Date: Wed, 27 Aug 2008 14:59:38 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Alexey Zakhlestin <indeyets@gmail.com>
CC: PHP Internals <internals@lists.php.net>
References: <cd5680a20808270130g5acab941uf9c3e8cc2f66f458@mail.gmail.com>
In-Reply-To: <cd5680a20808270130g5acab941uf9c3e8cc2f66f458@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 27 Aug 2008 21:59:38.0995 (UTC) FILETIME=[338CD430:01C90890]
Subject: Re: [PHP-DEV] open_basedir + sessions bug (or a feature?)
From: stas@zend.com (Stanislav Malyshev)

Hi!

> ext/sessions/mod_files.c:281 has a hardcoded openbasedir-check
> skipping of "/tmp" path for storing session-files, if
> sessions.save_path is not manually set.

I would think the idea was to make it easier on inexperienced users. 
Since default AFAIK is /tmp, and it is highly unlikely that somebody 
would need to hide /tmp from the users, it makes more scenarios to work 
out of the box.

> Anyway, this looks like something done wrong from the beginning.
> Shouldn't "/tmp" be explicitly added to open_basedir list? Why should
> it have any special meaning?
> I propose to remove special treatment of "/tmp" (should be mentioned
> in upgrade-docs)

Is there any problem that this treatment is causing? I.e. on Mac the 
default is different, but that's not a problem of this treatment - it's 
rather missing special treatment of /var/tmp on mac, I'd say :) So Mac 
users don't get this boon, but is it the reason to remove it form other 
users?
-- 
Stanislav Malyshev, Zend Software Architect
stas@zend.com   http://www.zend.com/
(408)253-8829   MSN: stas@zend.com