Fixed bug #38993 (Fixed safe_mode/open_basedir checks for

session.save_path, allowing them to account for extra parameters).

NEWS

@@ -6,6 +6,8 @@ PHP                                                                        NEWS
 - Fixed mess with CGI/CLI -d option (now it works with cgi; constants are
   working exactly like in php.ini; with FastCGI -d affects all requests).
   (Dmitry)
+- Fixed bug #38993 (Fixed safe_mode/open_basedir checks for
+  session.save_path, allowing them to account for extra parameters). (Ilia)
 - Fixed bug #38981 (using FTP URLs in get_headers() causes crash). (Tony)
 - Fixed bug #38961 (metaphone() results in segmentation fault on NetBSD). 
   (Tony)

ext/session/session.c

@@ -154,11 +154,19 @@ static PHP_INI_MH(OnUpdateSaveDir)
 {
 	/* Only do the safemode/open_basedir check at runtime */
 	if (stage == PHP_INI_STAGE_RUNTIME) {
-		if (PG(safe_mode) && (!php_checkuid(new_value, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+		char *p;
+
+		if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+			p++;
+		} else {
+			p = new_value;
+		}
+
+		if (PG(safe_mode) && (!php_checkuid(p, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
 			return FAILURE;
 		}
 
-		if (php_check_open_basedir(new_value TSRMLS_CC)) {
+		if (php_check_open_basedir(p TSRMLS_CC)) {
 			return FAILURE;
 		}
 	}

ext/standard/basic_functions.c

@@ -5622,7 +5622,6 @@ PHP_FUNCTION(ini_set)
 			_CHECK_PATH(varname, "java.class.path") ||
 			_CHECK_PATH(varname, "java.home") ||
 			_CHECK_PATH(varname, "java.library.path") ||
-			_CHECK_PATH(varname, "session.save_path") ||
 			_CHECK_PATH(varname, "vpopmail.directory")) {
 			if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(new_value), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
 				zval_dtor(return_value);