I believe the patch below will fix bug#21531 but my blood sugar is high
and my head feels like a brick. Could someone else take a look and see if
it's at least nearly sane?
The problem seems to be that when php_stat tries to check for the
existence of a file (called as file_exists() ) on a server running safe
mode and the file doesn't exist, the php_checkuid function winds up
throwing an error before php_stat gets a change to say "Hey, I don't care
if it's not there."
The solution being to only check the UID match on the directory and not
care if the script owner is also the owner of the file being checked.
After all we're only looking to see if the file is there, we're not
looking at/altering its contents.
-Pollita
Index: filestat.c
===================================================================
RCS file: /repository/php4/ext/standard/filestat.c,v
retrieving revision 1.117
diff -u -r1.117 filestat.c
--- filestat.c 5 Jan 2003 00:56:17 -0000 1.117
+++ filestat.c 9 Jan 2003 01:47:25 -0000
@@ -564,7 +564,7 @@
char *stat_sb_names[13]={"dev", "ino", "mode", "nlink", "uid",
"gid", "rdev",
"size", "atime", "mtime", "ctime",
"blksize", "blocks"};
- if (PG(safe_mode) &&(!php_checkuid(filename, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
+ if (PG(safe_mode) &&(!php_checkuid(filename, NULL,
(IS_EXISTS_CHECK(type) ? CHECKUID_ALLOW_ONLY_DIR :
CHECKUID_CHECK_FILE_AND_DIR)))) {
RETURN_FALSE;
}
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
