Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57803 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 86232 invoked from network); 8 Feb 2012 23:40:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Feb 2012 23:40:16 -0000 Authentication-Results: pb1.pair.com header.from=christopher.jones@oracle.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=christopher.jones@oracle.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain oracle.com from 141.146.126.227 cause and error) X-PHP-List-Original-Sender: christopher.jones@oracle.com X-Host-Fingerprint: 141.146.126.227 acsinet15.oracle.com Received: from [141.146.126.227] ([141.146.126.227:54420] helo=acsinet15.oracle.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 40/60-17591-FD7033F4 for ; Wed, 08 Feb 2012 18:40:16 -0500 Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id q18NeBe0011169 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 8 Feb 2012 23:40:12 GMT Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q18Ne9eo018502 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 8 Feb 2012 23:40:10 GMT Received: from abhmt113.oracle.com (abhmt113.oracle.com [141.146.116.65]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q18Ne9R1003486; Wed, 8 Feb 2012 17:40:09 -0600 Received: from [130.35.70.154] (/130.35.70.154) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 08 Feb 2012 15:40:09 -0800 Message-ID: <4F3307D8.4040202@oracle.com> Date: Wed, 08 Feb 2012 15:40:08 -0800 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20120129 Thunderbird/10.0 MIME-Version: 1.0 To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= CC: PHP internals References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Source-IP: ucsinet21.oracle.com [156.151.31.93] X-CT-RefId: str=0001.0A090206.4F3307DC.003B,ss=1,re=0.000,fgs=0 Subject: Re: [PHP-DEV] Security risk how to use find recommended in php.ini-* From: christopher.jones@oracle.com (Christopher Jones) On 02/08/2012 03:35 PM, Ondřej Surý wrote: > This is very wrong to recommend: > > ; NOTE: If you are using the subdirectory option for storing session files > [...] > ; find /path/to/sessions -cmin +24 | xargs rm > > because it is prone to '\n' attack. You can see the security > considerations of GNU find. Can you log a bug for this at https://bugs.php.net/ ? Thanks, Chris -- Email: christopher.jones@oracle.com Tel: +1 650 506 8630 Blog: http://blogs.oracle.com/opal/