Sebastian Mendel a écrit :
Marc Delisle wrote:
Sebastian Mendel a écrit :
Garvin Hicking wrote:
Hi!
<?php $d = opendir('/tmp'); while (($file = readdir($d)) !== false) { echo $file . "\n"; }
uuh, bad, this is really a misconfiguration! the web (apache and/or php) user should not have read access an this directory! only on the files created by themselves in there!
You are right, I messed this up myself by making /tmp world-writable. Sorry for the hassle. :)
world writable is _not_ wrong, world readable is wrong! ;-)
/tmp has always been world readable and writable!
mhm, ok, but we can agree that it is a misconfiguration if the directory with the session-data is readable by the web user
Of course we agree on that. On top of that, I think that /tmp is there by default for holding session data in php.ini-dist.
Marc