php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #41824 move_uploaded_file open_basedir problem
Submitted: 2007-06-27 14:16 UTC Modified: 2008-07-11 21:27 UTC
Votes:16
Avg. Score:4.0 ± 0.9
Reproduced:14 of 14 (100.0%)
Same Version:6 (42.9%)
Same OS:4 (28.6%)
From: mueller at intertrend dot de Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 4.4.7 OS: SUSE LINUX 10.0
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mueller at intertrend dot de
New email:
PHP Version: OS:

 

 [2007-06-27 14:16 UTC] mueller at intertrend dot de 
Description:
------------
move_uploaded_file() does not work if open_basedir is set.

settings in php.ini:
file_uploads = On
upload_tmp_dir = /tmp

settings in httpd.conf:
php_admin_value open_basedir /www/com/servername

tmp-dir and destination-dir are on the same filesystem.

Reproduce code:
---------------
$uploaddir = '/www/com/servername';
$uploadfile = $uploaddir . basename($_FILES['userfile']['tmp_name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";


Expected result:
----------------
File is valid, and was successfully uploaded.

Actual result:
--------------
Warning:  move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/php5bwW9n) is not within the allowed path(s): (/www/com/servername) in /www/com/servername/test.php on line 9



Warning:  move_uploaded_file(/tmp/php5bwW9n) [function.move-uploaded-file]: failed to open stream: Operation not permitted in /www/com/servername/test.php on line 9



Warning:  move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/php5bwW9n' to '/www/com/servername/php5bwW9n' in /www/com/servername/test.php on line 9

Possible file upload attack!
Here is some more debugging info:Array
(
    [userfile] => Array
        (
            [name] => Neu Textdokument (2).txt
            [type] => text/plain
            [tmp_name] => /tmp/php5bwW9n
            [error] => 0
            [size] => 1500
        )

)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-27 15:49 UTC] tony2001@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
 [2007-10-08 09:45 UTC] gkieffer at evolutive dot org 
Hi,

I have the same behavior (that contradicts the documentation): source argument of move_uploaded_file() is checked against open_basedir.

As requested by 'tony2001@php.net', I've tried the latest PHP4 snapshot (php4-STABLE-200710080830) and the open_basedir restriction is still enforced on the source parameter of move_uploaded_file.

4.4.8-dev (snapshot): KO
4.4.7 : KO
4.4.6 : KO
4.4.5 : KO
4.4.3 : KO
4.4.2 : OK
4.4.1 : (I assume, I haven't tested it)
4.4.0 : OK

Here's some extra info about my environment:
Linux Debian Sarge
Apache 2.0.59 (compiled, not a Debian pkg)
PHP 4.4.x compiled as a module for Apache 2.0.59

upload_tmp_dir = /var/run/php-file-uploads

open_basedir = /wrk1/htdocssds/site.fqdn/

/var and /wrk1 are different (ext3) filesystems.

destination dir of move_uploaded_file() is /wrk1/htdocssds/site.fqdn/backoffice/photo_gest/

If I add '/var/run/php-file-uploads/' to open_basedir everything works fine but this is not the expected behavior.

Hope it helps !

Bye,
G.
 [2007-10-08 12:18 UTC] gkieffer at evolutive dot org 
Hi,

After some investigation, here's what I've found.

move_uploaded_file() makes use of the internal PHP function php_copy_file() when source file and destination file are not on the same filesystem (rename() works only on a single FS).

php_copy_file() changed from version 4.4.2 to 4.4.3:

# diff -u php-4.4.2/ext/standard/file.c php-4.4.3/ext/standard/file.c
[ ... discarded some stuff ...]
@@ -2196,7 +2201,7 @@
 safe_to_copy:

        srcstream = php_stream_open_wrapper(src, "rb",
-                               STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS,
+                               ENFORCE_SAFE_MODE | REPORT_ERRORS,
                                NULL);

        if (!srcstream)



I guess the STREAM_DISABLE_OPEN_BASEDIR flag meant "bypass open_basedir". And as that flag is gone...

Anyway, even with PHP 4.4.3 and above, if 'upload_tmp_dir' and the destination of move_uploaded_file() are on the same FS, everything works fine as as "rename()" is used (which is not affected by open_basedir restrictions).

I "solved" the issue by moving my upload_tmp_dir to the same FS where my websites are stored.

Bye,
G.
 [2007-10-10 01:31 UTC] mueller at intertrend dot de 
./.
 [2008-04-05 21:44 UTC] carsten at bleicker dot de 
vhost.conf:

php_admin_value open_basedir /home/pumatertion/public_html
php_admin_value upload_tmp_dir /home/pumatertion/public_html/.temp_uploads

works on my server

.temp_uploads has to be writeable for apache.
otherwise it seems that php uses the default /tmp folder
 [2008-07-11 21:27 UTC] jani@php.net 
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 18:01:29 2024 UTC