- [ main/safe_mode.h ] added new checkuid mode:
CHECKUID_ALLOW_ONLY_FILE: skips directory check if file check
fails
- [ ext/standard/dir.c ] changed php_checkuid() to use
CHECKUID_ALLOW_ONLY_FILE instead of CHECKUID_ALLOW_ONLY_DIR
- [ main/safe_mode.c ] added code for new checkuid mode
o Fixed Bug #12119: safe mode owner check can be bypassed with symlink
- [ main/safe_mode.c ] use VCWD_REALPATH to resolve destination
of symlink before trimming filename
o New Feature: safe_mode_include_dir (php.ini directive)
- Allows bypassing UID/GID checks when including files
from the directory in safe_mode_include_dir and its
subdirectories. (safe_mode must be on, directory must
also be in include_path or full path must be used when
including)
o Fixed Feature: safe_mode_gid (php.ini directive)
- Correctly check (and report) UID/GID bits on directories
o Changed include() fall back to scripts cwd implementation
- CWD added to the (local) search path in php_fopen_with_path()
instead of seperate case. [ main/fopen_wrappers.c ]
a gid check instead of a uid check.
@ - Add getmygid() and safe_mode_gid ini directive to allow safe mode to do
@ a gid check instead of a uid check. (James E. Flemer, Rasmus)
1. this depends on the patch to fix tsrm I sent to dev
2. this provides backwards compatibility, as long as sendmail_path in the ini file is empty, the old internal mailer will be used, once sendmail_path is defined, the external sendmail program will be used.
I tested with indigomail from www.indigostar.com, which provides the same command line interface as sendmail no linux.
and handle some corner cases better. The scanner has been changed
to the format as proposed in "RE2C - A More Versatile Scanner Generator"
by Cowan et al.
(PHP htmlentities, htmlspecialchars) Uses nl_langinfo to determine charset
@- Added nl_langinfo() (when OS provides it) that returns locale
information. (Wez Furlong)
# There are a lot of constants used by nl_langinfo; should we do something
# along the lines of what we do for syslog?
NAME and CONTENT to be in that order. Meta tags with no CONTENT attribute
are now added to the array as empty strings. Meta tags with no NAME
attribute are ignored.
- regression test checked (this time;-)
- added new regression test for references
- references _between_ session variables also work in when the session var
replaces an already existing global var (this was a brain twister)
- saved one strlen call per session variable
- fixed one tiny leak
ignore differences in the twelfth element of the stat() array.
2. The 'test.file' is created by the script, thus the owner of the file
is the user id executing the script. A mode of 0654 does not grant
the owner the right to execute the file and therefore, the correct
output here is "not executable."