diff --git a/ChangeLog b/ChangeLog index 3708a4e62..eefe1fff2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,7 +6,10 @@ $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $ 2.11.10.0 (not yet released) -- [core] safer handling of temporary files with open_basedir (thanks to Thijs Kinkhorst) +- [core] safer handling of temporary files with open_basedir (thanks to Thijs + Kinkhorst) +- [core] do not automatically set and create TempDir, it might lead to secrity + issue (thanks to Thijs Kinkhorst) 2.11.9.0 (2008-08-28) - bug #2031221 [auth] Links to version number on login screen diff --git a/libraries/File.class.php b/libraries/File.class.php index 9d21040a8..c23a38ead 100644 --- a/libraries/File.class.php +++ b/libraries/File.class.php @@ -527,34 +527,7 @@ class PMA_File return true; } - /** - * it is not important if open_basedir is set - we just cannot read the file - * so we try to move it - if ('' != ini_get('open_basedir')) { - */ - - // check tmp dir config - if (empty($GLOBALS['cfg']['TempDir'])) { - $GLOBALS['cfg']['TempDir'] = 'tmp/'; - } - - // suppress warnings from being displayed, but not from being logged - ob_start(); - // check tmp dir - if (! is_dir($GLOBALS['cfg']['TempDir'])) { - // try to create the tmp directory - if (@mkdir($GLOBALS['cfg']['TempDir'], 0777)) { - chmod($GLOBALS['cfg']['TempDir'], 0777); - } else { - // create tmp dir failed - $this->_error_message = $GLOBALS['strFieldInsertFromFileTempDirNotExists']; - ob_end_clean(); - return false; - } - } - ob_end_clean(); - - if (! is_writable($GLOBALS['cfg']['TempDir'])) { + if (empty($GLOBALS['cfg']['TempDir']) || ! is_writable($GLOBALS['cfg']['TempDir'])) { // cannot create directory or access, point user to FAQ 1.11 $this->_error_message = $GLOBALS['strFieldInsertFromFileTempDirNotExists']; return false;