Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.

author Rasmus Lerdorf <rasmus@php.net>

Tue, 29 Sep 2009 14:14:02 +0000 (14:14 +0000)

committer Rasmus Lerdorf <rasmus@php.net>

Tue, 29 Sep 2009 14:14:02 +0000 (14:14 +0000)
author Rasmus Lerdorf <rasmus@php.net>
Tue, 29 Sep 2009 14:14:02 +0000 (14:14 +0000)
committer Rasmus Lerdorf <rasmus@php.net>
Tue, 29 Sep 2009 14:14:02 +0000 (14:14 +0000)
diff --git a/NEWS b/NEWS

index b39684f1d5645648fdde16fa9e4d3f91da620ef3..0295fa30a94dd6e82f58770645d7938d9a99f9c9 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? 20??, PHP 5.2.12
+- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.  
+  (Rasmus)
+- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz 
+  Stachowiak.  (Rasmus)
  - Fixed bug #49698 (Unexpected change in strnatcasecmp()). (Rasmus)
  - Fixed bug #49647 (DOMUserData does not exist). (Rob)
  - Fixed bug #49630 (imap_listscan function missing). (Felipe)
diff --git a/ext/standard/file.c b/ext/standard/file.c

index c7fc97ce1532f4b92f372864bede9b3d2cb441b5..9dcb4ca01d08cca17328d1eb05e7a6e04b3b914c 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam)
         convert_to_string_ex(arg1);
         convert_to_string_ex(arg2);
  
+       if (PG(safe_mode) &&(!php_checkuid(dir, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+               RETURN_FALSE;
+       }
+
         if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
                 RETURN_FALSE;
         }
author	Rasmus Lerdorf <rasmus@php.net>
	Tue, 29 Sep 2009 14:14:02 +0000 (14:14 +0000)
committer	Rasmus Lerdorf <rasmus@php.net>
	Tue, 29 Sep 2009 14:14:02 +0000 (14:14 +0000)
NEWS		patch \| blob \| history
ext/standard/file.c		patch \| blob \| history