Re: CVE-2013-6501 php: predictible filename used for cache in world writable directory

[Stanislav Malyshev <smalyshev () gmail com>]

Hi!

> https://bugzilla.redhat.com/show_bug.cgi?id=1009103
>
> not sure if this got fixed or not, PHP can you comment?

This seems to be easily fixed by proper configuration (i.e. having
soap.wsdl_cache_dir set to a directory accessible only to the user
running PHP, or, on the shared host, having per-user config for each
user) but I'm not sure how to fix it in the generic case since that
directory wouldn't exist by default. On specific package - like RH - it
could create a separate directory - like /tmp/php-wsdl-cache - with web
server permissions and set the variable to use it - but since default
PHP install has no install scripts not sure yet how to improve it in a
generic way.
-- 
Stas Malyshev
smalyshev () gmail com