Added target ownership check in function copy for safe_mode operations

diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index cbfe5455b8c0612ec1c20d0861ae100515b1dfb8..c2e7bb2859c69c386627c674d9e4bb1ad53fa02c 100644 (file)
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -2490,7 +2490,11 @@ PHP_FUNCTION(move_uploaded_file)
        if (!zend_hash_exists(SG(rfc1867_uploaded_files), Z_STRVAL_PP(path), Z_STRLEN_PP(path)+1)) {
                RETURN_FALSE;
        }
-
+       
+       if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(new_path), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+               RETURN_FALSE;
+       }
+       
        V_UNLINK(Z_STRVAL_PP(new_path));
        if (rename(Z_STRVAL_PP(path), Z_STRVAL_PP(new_path))==0) {
                successful=1;

diff --git a/ext/standard/file.c b/ext/standard/file.c
index 2808d41a6bc40a3df9215889f4c162b6470b5007..e2062405b5a8975b1f1d75d67379bd1d25516f26 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -1691,7 +1691,7 @@ PHP_FUNCTION(copy)
 {
        pval **source, **target;
        PLS_FETCH();
-       
+
        if (ARG_COUNT(ht) != 2 || zend_get_parameters_ex(2, &source, &target) == FAILURE) {
                WRONG_PARAM_COUNT;
        }
@@ -1702,7 +1702,11 @@ PHP_FUNCTION(copy)
        if (PG(safe_mode) &&(!php_checkuid((*source)->value.str.val, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }
-       
+
+       if (PG(safe_mode) &&(!php_checkuid((*target)->value.str.val, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+               RETURN_FALSE;
+       }
+
        if (php_copy_file(Z_STRVAL_PP(source), Z_STRVAL_PP(target))==SUCCESS) {
                RETURN_TRUE;
        } else {