php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53929 no-temporary name for a uploaded file
Submitted: 2011-02-04 19:25 UTC Modified: 2012-02-24 19:37 UTC
Votes:3
Avg. Score:3.0 ± 1.6
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dungar at kabia dot fr Assigned:
Status: Not a bug Package: Filesystem function related
PHP Version: 5.3.5 OS: debian
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dungar at kabia dot fr
New email:
PHP Version: OS:

 

 [2011-02-04 19:25 UTC] dungar at kabia dot fr 
Description:
------------
The function :is_uploaded_file return every time false.
(for a classical upload)
For find the file i must edit the path :
$file['file']['tmp_name']
by this path :
dirname($file['file']['tmp_name']).'/'.$file['file']['name']

The file of the tmp_name wasn't changed, and the uploaded name is used.
(May be dangerous for include attack ?)

Test script:
---------------
		$oForms_File = new Forms_File();
		if ( $oForms_File->isValid($_POST) ) {
			$fFile = $oForms_File->getValue('file');
			$adapter = new Zend_File_Transfer_Adapter_Http();
			$adapter->setDestination(CORE_APP_DIR.DS.'modules'.DS.'bugtracking'.DS.'files','test.todel');
			; 
			$file = $adapter->getFileInfo('file');
			echo file_get_contents(dirname($file['file']['tmp_name']).'/'.$file['file']['name']);exit;
			test($file);
			test($_FILES);
			test( is_uploaded_file($_FILES['file']['tmp_name']) );
			test($adapter->receive());
			test($adapter->getMessages());
			function ScanDirectory($Directory){

  $MyDirectory = opendir($Directory) or die('Erreur');
	while($Entry = @readdir($MyDirectory)) {
		if(is_dir($Directory.'/'.$Entry)&& $Entry != '.' && $Entry != '..') {
                         echo '<ul>'.$Directory;
			ScanDirectory($Directory.'/'.$Entry);
                        echo '</ul>';
		}
		else {
			echo '<li>'.$Entry.'</li>';
                }
	}
  closedir($MyDirectory);
}

ScanDirectory('/webdata/n/q/7a8fwoym65pts9/vbi3und15xa44wgw/php_upload');





<?php

class Forms_File extends Zend_Form {
	public function __construct($options = null) {
		 parent::__construct($options);
		 // setting Form name, Form action and Form Ecryption type
		 $this->setName('file');
		 /*
		 $this->setAction($this->view->url(
				array(
				'module'	=> Zend_Controller_Front::getInstance()->getRequest()->getParam('module'),
				'controller'=> 'files',
				'action'	=> 'upload',
				'id'		=> Zend_Controller_Front::getInstance()->getRequest()->getParam('id'),
				), $this->routes['crud-action-controller-id'], true)
				);
		 */
		 $this->setAttrib('enctype', 'multipart/form-data');
		 
		 // creating object for Zend_Form_Element_File
		 $doc_file = new Zend_Form_Element_File('file');
		 $doc_file//->setLabel('Document File Path')
				  ->setRequired(true);
	
		 // creating object for submit button
		 $submit = new Zend_Form_Element_Submit('submit');
		 $submit->setLabel('Upload File')
				 ->setAttrib('id', 'submitbutton');
	
		// adding elements to form Object
		$this->addElements(array($doc_file, $submit));
	}
}



<?php echo $this->oForm; ?>








Expected result:
----------------
test( is_uploaded_file($_FILES['file']['tmp_name']) ); => true

Actual result:
--------------
test( is_uploaded_file($_FILES['file']['tmp_name']) ); => false

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-23 02:41 UTC] felipe@php.net
-Package: Security related +Package: Filesystem function related
 [2011-07-31 18:53 UTC] mf_peppa at yahoo dot com 
same problem (mac os lion, php 5.3.6)
 [2011-07-31 19:55 UTC] mf_peppa at yahoo dot com 
oops, my bad - there is no problem with PHP, it's just a programming error - the 
guy who submitted this bug calls $fFile = $oForms_File->getValue('file'), which 
includes a move_uploaded_file() call... that's why the test results are wrong... i 
would recommend closing this bug
 [2012-02-24 19:37 UTC] sixd@php.net
-Status: Open +Status: Not a bug
 [2012-02-24 19:37 UTC] sixd@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Please review the user comments and reopen if you still consider this a problem.
 [2012-02-24 19:42 UTC] robertbasic dot com at gmail dot com 
This is not a PHP bug, but improper usage of the Zend_File_Transfer component from Zend Framework.

In the manual, http://framework.zend.com/manual/en/zend.file.transfer.introduction.html#zend.file.transfer.introduction.informations there's a clear big warning stating that "due to security reasons also the original data within $_FILES will be overridden as soon as Zend_File_Transfer is initiated."
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Dec 05 00:00:01 2025 UTC