PHP :: Bug #15928 :: move_uploaded_file() is unsafe running in safe-mode

Bug #15928	move_uploaded_file() is unsafe running in safe-mode
Submitted:	2002-03-07 06:15 UTC	Modified:	2002-03-19 03:18 UTC
From:	webmaster at unizh dot ch	Assigned:
Status:	Closed	Package:	PHP options/info functions
PHP Version:	4.1.2	OS:	AIX
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	webmaster at unizh dot ch
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-03-07 06:15 UTC] webmaster at unizh dot ch

Security issue in move_uploaded_file() while in safe-mode

We have different web-sites running on our server. Each of them
may prepare a directory in which files may be written using php-upload
and move_uploaded_file(). Our webserver runs with safe-mode-restriction.

The documentations says, as mentioned, that this is not unsafe.

Note: move_uploaded_file() is not affected by the normal
                       safe-mode UID-restrictions. This is not unsafe because
                       move_uploaded_file() only operates on files uploaded via PHP. 

In fact, it is. If I know a directory of another website which
allows to upload files via php, I'll be able to write a file to this location,
offering an upload-script on my website. I could on this way put
offending files in someone elses website, who probably protectet his
php-upload-script with .htaccess.

I would suggest that move_uploaded_file() should be modified that
way, that files may only be moved to directories whose owner is the
same as the upload-script while safe-mode restriction applies. 
This approach would guarantee that nobody else as the people who 
offers an upload-script will be able to put files in the owners webspace. 

After such a modification move_uploaded_file() will be really safe. At
present, it's not. It allows to skip safe-mode-restriction.

Kind regards and thanks for any feedback

Roberto

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-17 12:35 UTC] sander@php.net

This is already implemented.

[2002-03-19 03:04 UTC] webmaster at unizh dot ch

Sorry, but in fact the bug still persists in php 4.1.2
a php script owned by uid=xxx is able to upload
files to a directory owned by uid=yyy in safe_mode.
Please reopen this bug.

[2002-03-19 03:07 UTC] derick@php.net

I think Sander meant it's fixed in CVS. Can you try a snapshot from snaps.php.net, or wait for 4.2.0RC1, which will be rolled tomorrow?

Derick

[2002-03-19 03:16 UTC] webmaster at unizh dot ch

Sorry, since we were running php 4.1.1 still yesterday
I was not aware that Sander meant that the bug was
fixed in CVS. Since you announced the new release
for tomorrow, I'll wait and try it out.

Thanks Roberto

[2002-03-19 03:18 UTC] derick@php.net

I didn't say "release" but RC, which means "release candidate".

Derick

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 11:00:02 2025 UTC