[24807] in bugtraq
Re: move_uploaded_file breaks safe_mode restrictions in PHP
daemon@ATHENA.MIT.EDU (sesser@php.net)
Fri Mar 22 20:55:23 2002
Date: Fri, 22 Mar 2002 11:05:23 +0100
From: sesser@php.net
To: b0iler _ <b0iler@hotmail.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20020322100523.GA22884@php.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <F111q65Rn8P5o7P6umL0000065f@hotmail.com>
Hi,
maybe i should simply quote the documentation at:
http://www.php.net/manual/en/function.move-uploaded-file.php
it says:
Note: move_uploaded_file() is not affected by the normal safe-mode
UID-restrictions. This is not unsafe because move_uploaded_file()
only operates on files uploaded via PHP.
maybe all the guys complaining should first read the documentation
of move_uploaded_file. It is wrong because it states that
move_uploaded_file is safe_mode unaware (and it was only not aware
of safe_mode because of that bug) but how comes you assume it is
safe_mode aware if the documentation says it is not?
Before crying around: RTFM. And feel free to disable
move_uploaded_file () in your php.ini
The next release of php will have move_uploaded_file() fully
safe_mode aware. This feature is now added.
Stefan Esser
