[Pmwiki-users] Upload behaviour
Ruediger Marwein
ruediger.marwein at web.de
Fri Jun 27 10:27:27 CDT 2003
Hi,
the function move_uploaded_file() causes the saved attachment to keep the
apache mask which is 600 nobody.nogroup by default. Which means "read and
write for nobody" (in two ways).
That way an admin (not root) can't remove/move the files. Just think of moving
PmWiki to another directory.
copy() -> unlink() does the job well and creates the file with the desired
umask.
scripts/upload.php (131-132)
=======
if (!copy($uploadfile['tmp_name'],$filepath))
{ Abort("?cannot move uploaded file to $filepath"); return; }
unlink($uploadfile['tmp_name']);
=======
Unfortunately this small patch does NOT apply to files which do already exist
even when they get overwritten. They keep their umask. :(
PmWiki is great. Good Job.
Gr33tZ
Ruediger
--
Ich liebe es, wenn ein Plan funktioniert.
Hannibal Smith
More information about the pmwiki-users
mailing list