From: Lewis B. <lbe...@ab...> - 2000-08-12 23:25:53
|
Maybe I am missing something here but to me it looks like we are already donig what is required by haveing a configured var which is not writable by the httpd that is the path for the copy attachments stuff. Are we saying someone can get by this by changing the address in the post? See below from the compose.php if (!rename($attachfile, $attachment_dir.$localfilename)) { if (!copy($attachfile, $attachment_dir.$localfilename)) { plain_error_message(_("Could not move/copy file. File not attached"), $color); $failed = true; |