MFH: Fixed bug #26974 (rename() doesn't check the destination file against

safe_mode/open_basedir).

diff --git a/NEWS b/NEWS
index 62b40a2a7f82b887a2894ab5ea8e699d1e2f79fc..817fbdda3fdbff61e880997902aed32f30b45dc2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Jan 2004, Version 4.3.5
+- Fixed bug #26974 (rename() doesn't check the destination file against 
+  safe_mode/open_basedir). (Ilia)
 - Fixed bug #26969 (--with-openssl=shared build fails). (Jani)
 - Fixed bug #26949 (rand(min,max) always returns min when ZTS enabled). (Jani)
 - Fixed bug #26937 (Warning in xml.c). (Jani)

diff --git a/ext/standard/file.c b/ext/standard/file.c
index 067d0cc78e1a35a29a496c1e9e03749dc6df7463..a8f660fcd05d94df29aaad3dec3560ad817d5bb6 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -1899,11 +1899,12 @@ PHP_FUNCTION(rename)
        old_name = Z_STRVAL_PP(old_arg);
        new_name = Z_STRVAL_PP(new_arg);
 
-       if (PG(safe_mode) &&(!php_checkuid(old_name, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+       if (PG(safe_mode) && (!php_checkuid(old_name, NULL, CHECKUID_CHECK_FILE_AND_DIR) ||
+                               !php_checkuid(new_name, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }
 
-       if (php_check_open_basedir(old_name TSRMLS_CC)) {
+       if (php_check_open_basedir(old_name TSRMLS_CC) || php_check_open_basedir(new_name TSRMLS_CC)) {
                RETURN_FALSE;
        }