From eb3ff409b07e17020101a55fa73eafea9e0891eb Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 21 Jan 2004 02:28:50 +0000
Subject: [PATCH] Fixed bug #26974 (rename() doesn't check the destination file
 against safe_mode/open_basedir).

---
 main/streams/plain_wrapper.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c
index 2193577e89..c60063f355 100644
--- a/main/streams/plain_wrapper.c
+++ b/main/streams/plain_wrapper.c
@@ -973,11 +973,12 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, char *url_from, c
 		url_to = p + 3;
 	}
 
-	if (PG(safe_mode) &&(!php_checkuid(url_from, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+	if (PG(safe_mode) && (!php_checkuid(url_from, NULL, CHECKUID_CHECK_FILE_AND_DIR) ||
+				!php_checkuid(url_to, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
 		return 0;
 	}
 
-	if (php_check_open_basedir(url_from TSRMLS_CC)) {
+	if (php_check_open_basedir(url_from TSRMLS_CC) || php_check_open_basedir(url_to TSRMLS_CC)) {
 		return 0;
 	}
 
-- 
2.50.1