Fixed bug #31270 (missing safe_mode/open_basedir check in swf_openfile()).

diff --git a/NEWS b/NEWS
index c2c2087441dce8c73d1e42a362f1fd80658dfe67..b3d10c63dfb9d3464183d3dfe625135b12f0f5b4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, Version 4.3.11
 - Added Oracle Instant Client support. (cjbj at hotmail dot com, Tony)
+- Fixed bug #31270 (missing safe_mode/open_basedir check in swf_openfile()). (Ilia)
 - Fixed bug #31174 (compile warning in url.c). (Ilia, lukem at NetBSD dot org)
 - Fixed bug #31159 (COM object access is not working). (Wez)
 - Fixed bug #31142 (imap_mail_compose() fails to generate correct output). (Ilia)

diff --git a/ext/swf/swf.c b/ext/swf/swf.c
index a48f17aaef9ef35da9412aa08f50bdb65175853a..e314ccf77e190099cd148e5d9196ff0d02be3b75 100644 (file)
--- a/ext/swf/swf.c
+++ b/ext/swf/swf.c
@@ -239,12 +239,17 @@ PHP_FUNCTION(swf_openfile)
        }
        na = tmpna;
 #endif
+       if (php_check_open_basedir(na TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(na, "wb+", CHECKUID_CHECK_MODE_PARAM))) {
+               goto err;
+       }
+       
        if (!SWFG(use_file))
                SWFG(tmpfile_name) = na;
 
        swf_openfile(na,(float)Z_DVAL_PP(sizeX), (float)Z_DVAL_PP(sizeY),
                         (float)Z_DVAL_PP(frameRate), (float)Z_DVAL_PP(r), 
                         (float)Z_DVAL_PP(g), (float)Z_DVAL_PP(b));
+err:
 #ifdef VIRTUAL_DIR
        free(na);
 #endif