PHP :: Bug #41824 :: move_uploaded_file open

Bug #41824

move_uploaded_file open_basedir problem

Submitted:

2007-06-27 14:16 UTC

Modified:

2008-07-11 21:27 UTC

Votes:	16
Avg. Score:	4.0 ± 0.9
Reproduced:	14 of 14 (100.0%)
Same Version:	6 (42.9%)
Same OS:	4 (28.6%)

From:

mueller at intertrend dot de

Assigned:

Status:

Wont fix

Package:

Safe Mode/open_basedir

PHP Version:

4.4.7

OS:

SUSE LINUX 10.0

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mueller at intertrend dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-06-27 14:16 UTC] mueller at intertrend dot de

Description:
------------
move_uploaded_file() does not work if open_basedir is set.

settings in php.ini:
file_uploads = On
upload_tmp_dir = /tmp

settings in httpd.conf:
php_admin_value open_basedir /www/com/servername

tmp-dir and destination-dir are on the same filesystem.

Reproduce code:
---------------
$uploaddir = '/www/com/servername';
$uploadfile = $uploaddir . basename($_FILES['userfile']['tmp_name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";


Expected result:
----------------
File is valid, and was successfully uploaded.

Actual result:
--------------
Warning:  move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/php5bwW9n) is not within the allowed path(s): (/www/com/servername) in /www/com/servername/test.php on line 9



Warning:  move_uploaded_file(/tmp/php5bwW9n) [function.move-uploaded-file]: failed to open stream: Operation not permitted in /www/com/servername/test.php on line 9



Warning:  move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/php5bwW9n' to '/www/com/servername/php5bwW9n' in /www/com/servername/test.php on line 9

Possible file upload attack!
Here is some more debugging info:Array
(
    [userfile] => Array
        (
            [name] => Neu Textdokument (2).txt
            [type] => text/plain
            [tmp_name] => /tmp/php5bwW9n
            [error] => 0
            [size] => 1500
        )

)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-06-27 15:49 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2007-10-08 09:45 UTC] gkieffer at evolutive dot org

Hi,

I have the same behavior (that contradicts the documentation): source argument of move_uploaded_file() is checked against open_basedir.

As requested by 'tony2001@php.net', I've tried the latest PHP4 snapshot (php4-STABLE-200710080830) and the open_basedir restriction is still enforced on the source parameter of move_uploaded_file.

4.4.8-dev (snapshot): KO
4.4.7 : KO
4.4.6 : KO
4.4.5 : KO
4.4.3 : KO
4.4.2 : OK
4.4.1 : (I assume, I haven't tested it)
4.4.0 : OK

Here's some extra info about my environment:
Linux Debian Sarge
Apache 2.0.59 (compiled, not a Debian pkg)
PHP 4.4.x compiled as a module for Apache 2.0.59

upload_tmp_dir = /var/run/php-file-uploads

open_basedir = /wrk1/htdocssds/site.fqdn/

/var and /wrk1 are different (ext3) filesystems.

destination dir of move_uploaded_file() is /wrk1/htdocssds/site.fqdn/backoffice/photo_gest/

If I add '/var/run/php-file-uploads/' to open_basedir everything works fine but this is not the expected behavior.

Hope it helps !

Bye,
G.

[2007-10-08 12:18 UTC] gkieffer at evolutive dot org

Hi,

After some investigation, here's what I've found.

move_uploaded_file() makes use of the internal PHP function php_copy_file() when source file and destination file are not on the same filesystem (rename() works only on a single FS).

php_copy_file() changed from version 4.4.2 to 4.4.3:

# diff -u php-4.4.2/ext/standard/file.c php-4.4.3/ext/standard/file.c
[ ... discarded some stuff ...]
@@ -2196,7 +2201,7 @@
 safe_to_copy:

        srcstream = php_stream_open_wrapper(src, "rb",
-                               STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS,
+                               ENFORCE_SAFE_MODE | REPORT_ERRORS,
                                NULL);

        if (!srcstream)



I guess the STREAM_DISABLE_OPEN_BASEDIR flag meant "bypass open_basedir". And as that flag is gone...

Anyway, even with PHP 4.4.3 and above, if 'upload_tmp_dir' and the destination of move_uploaded_file() are on the same FS, everything works fine as as "rename()" is used (which is not affected by open_basedir restrictions).

I "solved" the issue by moving my upload_tmp_dir to the same FS where my websites are stored.

Bye,
G.

[2007-10-10 01:31 UTC] mueller at intertrend dot de

./.

[2008-04-05 21:44 UTC] carsten at bleicker dot de

vhost.conf:

php_admin_value open_basedir /home/pumatertion/public_html
php_admin_value upload_tmp_dir /home/pumatertion/public_html/.temp_uploads

works on my server

.temp_uploads has to be writeable for apache.
otherwise it seems that php uses the default /tmp folder

[2008-07-11 21:27 UTC] jani@php.net

We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC