Hi, I have earlier posted my concern about some security issues, that has been dismissed, as mentioned in: http://news.php.net/php.internals/10849
Even though I still hope that my basic questions (as mentioned in the bottom of above post - reposted at the bottom of this post) would be answered, I have encountered even another issue regarding bug #28932: http://bugs.php.net/bug.php?id=28932 The bug is dismissed, and open_basedir is mentioned. But it doesn't solve the problem about glob() disclosing file names The following virtual host is restricted by both safe_mode and open_basedir: http://basedir.ter.dk/index.php (file owned by ordinary user) http://basedir.ter.dk/nobody.php (file owned by apache user) ... and file names are still disclosed: 1. .. is not allowed to access /tmp/phptest_sess_11c68bddfd 2. File(/tmp/phptest_sess_11c68bddfd) is not within the allowed path(s): The reason for why I'm posting here instead of creating a new bug report is that I'm not sure whether a bug report would have any effect, since my last reports were dismissed as bogus, even no clear answer has been made, that would fully satisfy the concern (e.g. file names are still disclosed). I'm not sure whether I'm wasting valuable time of the php-developers by just being an annoying person using bugs.php.net as my own soap box for personal opinions of how I would want PHP to behave, or if these reports make sense. E.g. the people I have shown http://stock.ter.dk/session.php to, are concerned, but I'm not sure whether I should take this as a hint of something needs to be reworked, or if it's just a variant of the old "Me and my friends..."-argument :) If nobody wants to give an answer to the above, my question would still be: Is there any way restricting people from retrieving file names (where open_basedir and safe_mode obviously won't help), besides adding glob to disable_functions in php.ini? Thanks for listening :) My original questions: == Even if an administrator is able to put up custom configuration, 1. Is there any reason for not adding UID or the like to the session files? 2. Is there any reason for not adding information in the documentation regarding shared sessions? 3. Is there any reason for not mentioning glob() under "Functions restricted/disabled by safe mode"? 4. Is there any reason for glob() performing a check on the first file that matches the pattern, even if this gives arbitrary results? 5. Is there any reason for glob() disclosing file names on warnings? 6. Is there any reason for users to be able to figure out almost any file name on the system using glob() (which would require less work than brute force guesses)? == -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
