- [ main/safe_mode.h ] added new checkuid mode:
CHECKUID_ALLOW_ONLY_FILE: skips directory check if file check
fails
- [ ext/standard/dir.c ] changed php_checkuid() to use
CHECKUID_ALLOW_ONLY_FILE instead of CHECKUID_ALLOW_ONLY_DIR
- [ main/safe_mode.c ] added code for new checkuid mode
o Fixed Bug #12119: safe mode owner check can be bypassed with symlink
- [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination
of symlink before trimming filename
o New Feature: safe_mode_include_dir (php.ini directive)
- Allows bypassing UID/GID checks when including files
from the directory in safe_mode_include_dir and its
subdirectories. (safe_mode must be on, directory must
also be in include_path or full path must be used when
including)
o Fixed Feature: safe_mode_gid (php.ini directive)
- Correctly check (and report) UID/GID bits on directories
o Changed include() fall back to scripts cwd implementation
- CWD added to the (local) search path in php_fopen_with_path()
instead of seperate case. [ main/fopen_wrappers.c ]
Draft 3 of IEEE 1003.1 200x, "2.2 The Compilation Environment"
All identifiers that begin with an underscore and either an uppercase
letter or another underscore are always reserved for any use by the
implementation.
- So here is the short version:
- a) Start moving to binary opens in Windows
- b) Give checkuid_mode() a small face lift including the fopen-wrappers.c
- The mode to this function should at least be a #define but that is for
- another day. Anyway this whole stuff should be given more face lifts in
- the future.