From: Romolo Manfredini <romolo@php.net>
Date: Fri, 23 Mar 2001 09:30:51 +0000 (+0000)
Subject: Added target ownership check in function copy for safe_mode operations
X-Git-Tag: php-4.0.6RC1~588
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=01ac20050e7f61e533d9cade8f26be2c7f139bf4;p=php

Added target ownership check in function copy for safe_mode operations
---

diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index cbfe5455b8..c2e7bb2859 100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -2490,7 +2490,11 @@ PHP_FUNCTION(move_uploaded_file)
 	if (!zend_hash_exists(SG(rfc1867_uploaded_files), Z_STRVAL_PP(path), Z_STRLEN_PP(path)+1)) {
 		RETURN_FALSE;
 	}
-
+	
+	if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(new_path), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+ 		RETURN_FALSE;
+ 	}
+	
 	V_UNLINK(Z_STRVAL_PP(new_path));
 	if (rename(Z_STRVAL_PP(path), Z_STRVAL_PP(new_path))==0) {
 		successful=1;
diff --git a/ext/standard/file.c b/ext/standard/file.c
index 2808d41a6b..e2062405b5 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -1691,7 +1691,7 @@ PHP_FUNCTION(copy)
 {
 	pval **source, **target;
 	PLS_FETCH();
-	
+
 	if (ARG_COUNT(ht) != 2 || zend_get_parameters_ex(2, &source, &target) == FAILURE) {
 		WRONG_PARAM_COUNT;
 	}
@@ -1702,7 +1702,11 @@ PHP_FUNCTION(copy)
 	if (PG(safe_mode) &&(!php_checkuid((*source)->value.str.val, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
 		RETURN_FALSE;
 	}
-	
+
+	if (PG(safe_mode) &&(!php_checkuid((*target)->value.str.val, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+		RETURN_FALSE;
+	}
+
 	if (php_copy_file(Z_STRVAL_PP(source), Z_STRVAL_PP(target))==SUCCESS) {
 		RETURN_TRUE;
 	} else {