From c75458bac3672b4672e1cca8049a5c2c00f0170d Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 23 Dec 2004 18:04:10 +0000
Subject: [PATCH] Fixed bug #31270 (missing safe_mode/open_basedir check in
 swf_openfile()).

---
 NEWS          | 1 +
 ext/swf/swf.c | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/NEWS b/NEWS
index c2c2087441..b3d10c63df 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, Version 4.3.11
 - Added Oracle Instant Client support. (cjbj at hotmail dot com, Tony)
+- Fixed bug #31270 (missing safe_mode/open_basedir check in swf_openfile()). (Ilia)
 - Fixed bug #31174 (compile warning in url.c). (Ilia, lukem at NetBSD dot org)
 - Fixed bug #31159 (COM object access is not working). (Wez)
 - Fixed bug #31142 (imap_mail_compose() fails to generate correct output). (Ilia)
diff --git a/ext/swf/swf.c b/ext/swf/swf.c
index a48f17aaef..e314ccf77e 100644
--- a/ext/swf/swf.c
+++ b/ext/swf/swf.c
@@ -239,12 +239,17 @@ PHP_FUNCTION(swf_openfile)
 	}
 	na = tmpna;
 #endif
+	if (php_check_open_basedir(na TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(na, "wb+", CHECKUID_CHECK_MODE_PARAM))) {
+		goto err;
+	}
+	
 	if (!SWFG(use_file))
 		SWFG(tmpfile_name) = na;
 
 	swf_openfile(na,(float)Z_DVAL_PP(sizeX), (float)Z_DVAL_PP(sizeY),
       		 	 (float)Z_DVAL_PP(frameRate), (float)Z_DVAL_PP(r), 
       		 	 (float)Z_DVAL_PP(g), (float)Z_DVAL_PP(b));
+err:
 #ifdef VIRTUAL_DIR
 	free(na);
 #endif
-- 
2.40.0