From owner-freebsd-ports@FreeBSD.ORG  Thu Sep 10 11:40:03 2009
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 81B6E106566B
	for <freebsd-ports@hub.freebsd.org>;
	Thu, 10 Sep 2009 11:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 715D38FC13
	for <freebsd-ports@hub.freebsd.org>;
	Thu, 10 Sep 2009 11:40:03 +0000 (UTC)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8ABe33C039272
	for <freebsd-ports@freefall.freebsd.org>; Thu, 10 Sep 2009 11:40:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8ABe3PV039271;
	Thu, 10 Sep 2009 11:40:03 GMT (envelope-from gnats)
Date: Thu, 10 Sep 2009 11:40:03 GMT
Message-Id: <200909101140.n8ABe3PV039271@freefall.freebsd.org>
To: freebsd-ports@FreeBSD.org
From: Miroslav Lachman <000.fbsd@quip.cz>
Cc: 
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Miroslav Lachman <000.fbsd@quip.cz>
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2009 11:40:03 -0000

The following reply was made to PR ports/138698; it has been noted by GNATS.

From: Miroslav Lachman <000.fbsd@quip.cz>
To: bug-followup@FreeBSD.org,  andzinsm@volt.iem.pw.edu.pl
Cc:  
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 13:14:32 +0200

 I don't know what you are trying to solve.
 
 If PHP runs under user www (Apache), it can still read the content of 
 the directory.
 If you want to disallow access to sessions of different domains 
 (VirtualHosts), you can do it by using different session.save_path for 
 each domain.
 
 In context of VirtualHost for www.domain1.tld:
      php_admin_value    session.save_path    /web/www.domain1.tld/tmp
 
 
 In context of VirtualHost for www.domain2.tld:
      php_admin_value    session.save_path    /web/www.domain2.tld/tmp