默认的php.ini变量路径位置（session.save_path，soap.wsdl_cache_dir，upload_tmp_dir）

I am wondering how the default values are determined for each of these values on windows, mac, linux:

session.save_path
soap.wsdl_cache_dir
upload_tmp_dir
1. Also are their any other php.ini variables that involve paths on the file system that you are aware of?
2. Based on my investigation on windows it seems session.save_path is C:\Windows\Temp. Is this a safe location? When does this get deleted?

How are default values determined

`session.save_path`

For session.save_path, the php.ini defined value is used by default, otherwise the path is determined here:

https://github.com/php/php-src/blob/master/ext/session/mod_files.c#L264

That calls php_get_temporary_directory which is defined here:

https://github.com/php/php-src/blob/master/main/php_open_temporary_file.c#L192

If you're using windows, it uses the Win32 API call GetTempPath to get the temporary folder path (see http://msdn.microsoft.com/en-us/library/windows/desktop/aa364992%28v=vs.85%29.aspx)
If you're using Unix, it uses the TMPDIR environment variable.
If all else fails, it falls back to /tmp

`soap.wsdl_cache_dir`

soap.wsdl_cache_dir attempts to use the defined php.ini value. If it isn't found it will default to /tmp via this code:

https://github.com/php/php-src/blob/master/ext/soap/soap.c#L520

Read more about STD_PHP_INI_ENTRY here: http://docstore.mik.ua/orelly/webprog/php/ch14_12.htm

`upload_tmp_dir`

upload_tmp_dir is set to NULL (but will use a php.ini override), along with many default values, in:

https://github.com/php/php-src/blob/master/main/main.c#L579

STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)

and used in file upload here:

https://github.com/php/php-src/blob/master/main/rfc1867.c#L1006

fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);

This function, if an empty upload_tmp_dir is passed, defaults to using the php_get_temporary_directory function we mentioned earlier.

Also are their any other php.ini variables that involve paths on the file system that you are aware of?

There are plenty. A quick look through https://github.com/php/php-src/blob/master/main/main.c shows plenty of default configs that use paths (open_basedir, include_path, sys_temp_dir, extension_dir and error_log to name just a few). In addition, extensions have their own collection of configurations that could include path parameters.

Based on my investigation on windows it seems session.save_path is C:\Windows\Temp. Is this a safe location? When does this get deleted?

When openning temporary files on Windows, PHP sets the permission to be exclusive to the user running your webserver, which should mean only it, and administrators, would be able to access the contents of the file:

https://github.com/php/php-src/blob/master/main/php_open_temporary_file.c#L149