Fixed safe_mode validation inside tempnam() when the directory path does not end...

author Ilia Alshanetsky <iliaa@php.net>

Thu, 11 Feb 2010 12:32:21 +0000 (12:32 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Thu, 11 Feb 2010 12:32:21 +0000 (12:32 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Thu, 11 Feb 2010 12:32:21 +0000 (12:32 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Thu, 11 Feb 2010 12:32:21 +0000 (12:32 +0000)
diff --git a/NEWS b/NEWS

index 536fb986695542e0b44d399d72bea469e4162c1c..640ec8324e15342d355c31807b820d688721dc8c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,9 @@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? Feb 2010, PHP 5.2.13
+11 Feb 2010, PHP 5.2.13RC2
  - Downgrade bundled PCRE to version 7.9. (Ilia)
+- Fixed safe_mode validation inside tempnam() when the directory path does
+  not end with a /). (Martin Jansen)
  - Fixed a possible open_basedir/safe_mode bypass in session extension
    identified by Grzegorz Stachowiak. (Ilia)
  
diff --git a/ext/standard/file.c b/ext/standard/file.c

index c0bc477832a74f5a09ceed7a656145ed8ace121f..6fd1a4d9602ed436b0d12a6d920a1386df170d4d 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -828,7 +828,7 @@ PHP_FUNCTION(tempnam)
         convert_to_string_ex(arg1);
         convert_to_string_ex(arg2);
  
-       if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+       if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                 RETURN_FALSE;
         }
author	Ilia Alshanetsky <iliaa@php.net>
	Thu, 11 Feb 2010 12:32:21 +0000 (12:32 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Thu, 11 Feb 2010 12:32:21 +0000 (12:32 +0000)
NEWS		patch \| blob \| history
ext/standard/file.c		patch \| blob \| history