nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Do not automatically set and create TempDir, it might lead to secrity issue (thanks to Thijs Kinkhorst).

Browse Source
This commit is contained in:
Michal Čihař
2008-09-02 17:35:48 +00:00
parent ca5d9f1afc
commit 6c96a59db5
2 changed files with 5 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@@ -6,7 +6,10 @@ $Id$
$HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
2.11.10.0 (not yet released)
- [core] safer handling of temporary files with open_basedir (thanks to Thijs Kinkhorst)
- [core] safer handling of temporary files with open_basedir (thanks to Thijs
Kinkhorst)
- [core] do not automatically set and create TempDir, it might lead to secrity
issue (thanks to Thijs Kinkhorst)
2.11.9.0 (2008-08-28)
- bug #2031221 [auth] Links to version number on login screen

29
libraries/File.class.php
View File

@@ -527,34 +527,7 @@ class PMA_File
return true;
}
/**
* it is not important if open_basedir is set - we just cannot read the file
* so we try to move it
if ('' != ini_get('open_basedir')) {
*/
// check tmp dir config
if (empty($GLOBALS['cfg']['TempDir'])) {
$GLOBALS['cfg']['TempDir'] = 'tmp/';
}
// suppress warnings from being displayed, but not from being logged
ob_start();
// check tmp dir
if (! is_dir($GLOBALS['cfg']['TempDir'])) {
// try to create the tmp directory
if (@mkdir($GLOBALS['cfg']['TempDir'], 0777)) {
chmod($GLOBALS['cfg']['TempDir'], 0777);
} else {
// create tmp dir failed
$this->_error_message = $GLOBALS['strFieldInsertFromFileTempDirNotExists'];
ob_end_clean();
return false;
}
}
ob_end_clean();
if (! is_writable($GLOBALS['cfg']['TempDir'])) {
if (empty($GLOBALS['cfg']['TempDir']) || ! is_writable($GLOBALS['cfg']['TempDir'])) {
// cannot create directory or access, point user to FAQ 1.11
$this->_error_message = $GLOBALS['strFieldInsertFromFileTempDirNotExists'];
return false;