Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.

author: Rasmus Lerdorf <rasmus@php.net> 2009-09-29 14:14:02 +0000
committer: Rasmus Lerdorf <rasmus@php.net> 2009-09-29 14:14:02 +0000
commit: bbd230d119f4d2341da5f68719c797f50f3ad45a (patch)
tree: c4f159b2f973bcedcedf20f027a3d23632d12f81
parent: d5ee6d613d3a2128b0d59d3263dbb9ed079186db (diff)
download: php-git-bbd230d119f4d2341da5f68719c797f50f3ad45a.tar.gz
2 files changed, 8 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index b39684f1d5..0295fa30a9 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 20??, PHP 5.2.12
+- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.  
+  (Rasmus)
+- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz 
+  Stachowiak.  (Rasmus)
 - Fixed bug #49698 (Unexpected change in strnatcasecmp()). (Rasmus)
 - Fixed bug #49647 (DOMUserData does not exist). (Rob)
 - Fixed bug #49630 (imap_listscan function missing). (Felipe)
diff --git a/ext/standard/file.c b/ext/standard/file.c
index c7fc97ce15..9dcb4ca01d 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam)
 	convert_to_string_ex(arg1);
 	convert_to_string_ex(arg2);
 
+	if (PG(safe_mode) &&(!php_checkuid(dir, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+		RETURN_FALSE;
+	}
+
 	if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
 		RETURN_FALSE;
 	}
author	Rasmus Lerdorf <rasmus@php.net>	2009-09-29 14:14:02 +0000
committer	Rasmus Lerdorf <rasmus@php.net>	2009-09-29 14:14:02 +0000
commit	bbd230d119f4d2341da5f68719c797f50f3ad45a (patch)
tree	c4f159b2f973bcedcedf20f027a3d23632d12f81
parent	d5ee6d613d3a2128b0d59d3263dbb9ed079186db (diff)
download	php-git-bbd230d119f4d2341da5f68719c797f50f3ad45a.tar.gz