diff options
| author | Joe Watkins <krakjoe@php.net> | 2017-01-06 06:07:31 +0000 |
|---|---|---|
| committer | Joe Watkins <krakjoe@php.net> | 2017-01-06 06:08:38 +0000 |
| commit | 969622cddf71bd02e602e3e529821dd072b494b2 (patch) | |
| tree | 2c8c755c7e292353bb063d9aea1044ca7d4f31b4 /ext/session | |
| parent | 7c94b3b743d1b0227d198c82c0d00b8ffbb219d0 (diff) | |
| parent | 811dfaa57b914630e1805c96f3fed83ecc97cc45 (diff) | |
| download | php-git-969622cddf71bd02e602e3e529821dd072b494b2.tar.gz | |
Merge branch 'PHP-7.1'
* PHP-7.1:
Fixed bug #69582 session not readable by root in CLI
Diffstat (limited to 'ext/session')
| -rw-r--r-- | ext/session/mod_files.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c index d26a27db18..38cc80236e 100644 --- a/ext/session/mod_files.c +++ b/ext/session/mod_files.c @@ -196,8 +196,14 @@ static void ps_files_open(ps_files *data, const char *key) if (data->fd != -1) { #ifndef PHP_WIN32 /* check that this session file was created by us or root – we - don't want to end up accepting the sessions of another webapp */ - if (fstat(data->fd, &sbuf) || (sbuf.st_uid != 0 && sbuf.st_uid != getuid() && sbuf.st_uid != geteuid())) { + don't want to end up accepting the sessions of another webapp + + If the process is ran by root, we ignore session file ownership + Use case: session is initiated by Apache under non-root and then + accessed by backend with root permissions to execute some system tasks. + + */ + if (zend_fstat(data->fd, &sbuf) || (sbuf.st_uid != 0 && sbuf.st_uid != getuid() && sbuf.st_uid != geteuid() && getuid() != 0)) { close(data->fd); data->fd = -1; php_error_docref(NULL, E_WARNING, "Session data file is not created by your uid"); |