[Pmwiki-users] Upload behaviour

Ruediger Marwein ruediger.marwein at web.de
Fri Jun 27 10:27:27 CDT 2003


Hi,

the function move_uploaded_file() causes the saved attachment to keep the 
apache mask which is 600 nobody.nogroup by default. Which means "read and 
write for nobody" (in two ways).
That way an admin (not root) can't remove/move the files. Just think of moving 
PmWiki to another directory.

copy() -> unlink() does the job well and creates the file with the desired 
umask.

scripts/upload.php (131-132)
=======
    if (!copy($uploadfile['tmp_name'],$filepath))
      { Abort("?cannot move uploaded file to $filepath"); return; }
    unlink($uploadfile['tmp_name']);
=======
 
Unfortunately this small patch does NOT apply to files which do already exist 
even when they get overwritten. They keep their umask. :(

PmWiki is great. Good Job.

Gr33tZ
Ruediger

-- 
Ich liebe es, wenn ein Plan funktioniert.
  Hannibal Smith





More information about the pmwiki-users mailing list