But it would mean that you would have to severly misconfigure your server and write severely braindead code. Simply putting a file in your document_root that has the x bit set will under normal circumstances not do anything.
On Tue, 26 Mar 2002, Demitrious S. Kelly wrote: > That's not entirely true... if php is running as cgi it would need the > execution bit set. Or if someone wanted to write a shell script in php > to be used to help compromise a server it would need to be executable as > well... > > -----Original Message----- > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 26, 2002 11:08 PM > To: David McInnis > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Does this seem odd? File Upload Permissions > > First, the execute bit means nothing over HTTP. So they couldn't just > execute it remotely. They would need an account on the box. > > And second, PHP does not set the x bit, you are doing that. Check your > default umask or set it explicitly with a call to umask() before copying > the file into place. > > > On Tue, 26 Mar 2002, David McInnis wrote: > > > Why does PHP set the execute bit on an uploaded file? This means a > user > > could upload a script and it would be executable. Ouch! Especially > if > > the file is available via httpd after upload. . . HELP. > > > > I am saving to a directory with permissions of 766 > > > > And when php copies the file it assigns the following permissions. > > > > rwxr-xr-x > > > > I am using the copy command to move the file from the tmp directory. > > > > David McInnis > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
