From: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Date: Sat, 2 May 2015 08:26:52 +0000 (+0200)
Subject: php.ini_securitynotes
X-Git-Tag: archive/raspbian/8.4.11-1+rpi1~1^2~41
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=cd5d062cbbfa83d994e1c96db5cc73dfdde2764c;p=php8.4.git

php.ini_securitynotes


Gbp-Pq: Name 0005-php.ini_securitynotes.patch
---

diff --git a/php.ini-development b/php.ini-development
index ddf11acd..1565f6bd 100644
--- a/php.ini-development
+++ b/php.ini-development
@@ -315,6 +315,12 @@ serialize_precision = -1
 ; or per-virtualhost web server configuration file.
 ; Note: disables the realpath cache
 ; https://php.net/open-basedir
+
+; NOTE: this is considered a "broken" security measure.
+;       Applications relying on this feature will not receive full
+;       support by the security team.  For more information please
+;       see /usr/share/doc/php-common/README.Debian.security
+;
 ;open_basedir =
 
 ; This directive allows you to disable certain functions.
@@ -1372,7 +1378,7 @@ session.save_handler = files
 ; where MODE is the octal representation of the mode. Note that this
 ; does not overwrite the process's umask.
 ; https://php.net/session.save-path
-;session.save_path = "/tmp"
+;session.save_path = "/var/lib/php/sessions"
 
 ; Whether to use strict session mode.
 ; Strict session mode does not accept an uninitialized session ID, and