- [ main/safe_mode.h ] added new checkuid mode:
CHECKUID_ALLOW_ONLY_FILE: skips directory check if file check
fails
- [ ext/standard/dir.c ] changed php_checkuid() to use
CHECKUID_ALLOW_ONLY_FILE instead of CHECKUID_ALLOW_ONLY_DIR
- [ main/safe_mode.c ] added code for new checkuid mode
o Fixed Bug #12119: safe mode owner check can be bypassed with symlink
- [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination
of symlink before trimming filename
o New Feature: safe_mode_include_dir (php.ini directive)
- Allows bypassing UID/GID checks when including files
from the directory in safe_mode_include_dir and its
subdirectories. (safe_mode must be on, directory must
also be in include_path or full path must be used when
including)
o Fixed Feature: safe_mode_gid (php.ini directive)
- Correctly check (and report) UID/GID bits on directories
o Changed include() fall back to scripts cwd implementation
- CWD added to the (local) search path in php_fopen_with_path()
instead of seperate case. [ main/fopen_wrappers.c ]
current working directory if everything else fails (include_path).
- Right now this also effects things like opening php.ini. It'll now always
check in the current working directory for php.ini. I think this doesn't
screw up todays behavior.
- comfiguration is now done by an ini parameter
instead of a compile time option
- the implementations of the three standard wrappers
now live in seperate files in ext/standard
- the compiler is happy again, no more warnings
- I started with trying to localize the V_FOPEN's so that we can have a
- version which won't really open the file for include_once/require_once to
- work faster and have less chance of a race which would cause a fd leak.
- What I did will, therefore, change but I want to do this step by step
- because the code is extremley messy so first of all I want to make sure
- that the isolating of the V_FOPEN code doesn't break anything.
- How about moving URL stuff out of this file?
- php_fopen_url_wrapper() copy and pasted the second part of
- php_fopen_wrapper() (incorrectly). Please try not to copy&paste code but
- centralize functionality. Need to think of a nice way to nuke one of the
- copies and have both functions use the same one.
