Fixed bug #26974 (rename() doesn't check the destination file

against safe_mode/open_basedir).
2026-03-26 01:02:25 +01:00 · 2004-01-21 02:28:50 +00:00
parent e36f5fb08b
commit eb3ff409b0
1 changed files with 3 additions and 2 deletions
--- a/main/streams/plain_wrapper.c
+++ b/main/streams/plain_wrapper.c
@@ -973,11 +973,12 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, char *url_from, c
 		url_to = p + 3;
 	}

-	if (PG(safe_mode) &&(!php_checkuid(url_from, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+	if (PG(safe_mode) && (!php_checkuid(url_from, NULL, CHECKUID_CHECK_FILE_AND_DIR) ||
+				!php_checkuid(url_to, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
 		return 0;
 	}

-	if (php_check_open_basedir(url_from TSRMLS_CC)) {
+	if (php_check_open_basedir(url_from TSRMLS_CC) || php_check_open_basedir(url_to TSRMLS_CC)) {
 		return 0;
 	}