That's not entirely true... if php is running as cgi it would need the execution bit set. Or if someone wanted to write a shell script in php to be used to help compromise a server it would need to be executable as well...
-----Original Message----- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 11:08 PM To: David McInnis Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Does this seem odd? File Upload Permissions First, the execute bit means nothing over HTTP. So they couldn't just execute it remotely. They would need an account on the box. And second, PHP does not set the x bit, you are doing that. Check your default umask or set it explicitly with a call to umask() before copying the file into place. On Tue, 26 Mar 2002, David McInnis wrote: > Why does PHP set the execute bit on an uploaded file? This means a user > could upload a script and it would be executable. Ouch! Especially if > the file is available via httpd after upload. . . HELP. > > I am saving to a directory with permissions of 766 > > And when php copies the file it assigns the following permissions. > > rwxr-xr-x > > I am using the copy command to move the file from the tmp directory. > > David McInnis > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
