open_basedir ini option didn't work. It was removing the trailing
slashes and then addeding it back to only one of the string,
now it adds it back to to both if needed.
(semi)colon separated path, rather than a single directory.
Also moved checking of said path into a separate path for code
readability.
@- Changed php.ini directive 'safe_mode_include_dir' to accept a
@ (semi)colon separated path (like 'include_path') rather than
@ a single directory. (jflemer)
- Move to the new ts_allocate_id() API
This patch is *bound* to break some files, as I must have had typos somewhere.
If you use any uncommon extension, please try to build it...
- [ main/safe_mode.h ] added new checkuid mode:
CHECKUID_ALLOW_ONLY_FILE: skips directory check if file check
fails
- [ ext/standard/dir.c ] changed php_checkuid() to use
CHECKUID_ALLOW_ONLY_FILE instead of CHECKUID_ALLOW_ONLY_DIR
- [ main/safe_mode.c ] added code for new checkuid mode
o Fixed Bug #12119: safe mode owner check can be bypassed with symlink
- [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination
of symlink before trimming filename
o New Feature: safe_mode_include_dir (php.ini directive)
- Allows bypassing UID/GID checks when including files
from the directory in safe_mode_include_dir and its
subdirectories. (safe_mode must be on, directory must
also be in include_path or full path must be used when
including)
o Fixed Feature: safe_mode_gid (php.ini directive)
- Correctly check (and report) UID/GID bits on directories
o Changed include() fall back to scripts cwd implementation
- CWD added to the (local) search path in php_fopen_with_path()
instead of seperate case. [ main/fopen_wrappers.c ]
current working directory if everything else fails (include_path).
- Right now this also effects things like opening php.ini. It'll now always
check in the current working directory for php.ini. I think this doesn't
screw up todays behavior.
