php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53929 no-temporary name for a uploaded file
Submitted: 2011-02-04 19:25 UTC Modified: 2012-02-24 19:37 UTC
Votes:3
Avg. Score:3.0 ± 1.6
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dungar at kabia dot fr Assigned:
Status: Not a bug Package: Filesystem function related
PHP Version: 5.3.5 OS: debian
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dungar at kabia dot fr
New email:
PHP Version: OS:

 

 [2011-02-04 19:25 UTC] dungar at kabia dot fr 
Description:
------------
The function :is_uploaded_file return every time false.
(for a classical upload)
For find the file i must edit the path :
$file['file']['tmp_name']
by this path :
dirname($file['file']['tmp_name']).'/'.$file['file']['name']

The file of the tmp_name wasn't changed, and the uploaded name is used.
(May be dangerous for include attack ?)

Test script:
---------------
		$oForms_File = new Forms_File();
		if ( $oForms_File->isValid($_POST) ) {
			$fFile = $oForms_File->getValue('file');
			$adapter = new Zend_File_Transfer_Adapter_Http();
			$adapter->setDestination(CORE_APP_DIR.DS.'modules'.DS.'bugtracking'.DS.'files','test.todel');
			; 
			$file = $adapter->getFileInfo('file');
			echo file_get_contents(dirname($file['file']['tmp_name']).'/'.$file['file']['name']);exit;
			test($file);
			test($_FILES);
			test( is_uploaded_file($_FILES['file']['tmp_name']) );
			test($adapter->receive());
			test($adapter->getMessages());
			function ScanDirectory($Directory){

  $MyDirectory = opendir($Directory) or die('Erreur');
	while($Entry = @readdir($MyDirectory)) {
		if(is_dir($Directory.'/'.$Entry)&& $Entry != '.' && $Entry != '..') {
                         echo '<ul>'.$Directory;
			ScanDirectory($Directory.'/'.$Entry);
                        echo '</ul>';
		}
		else {
			echo '<li>'.$Entry.'</li>';
                }
	}
  closedir($MyDirectory);
}

ScanDirectory('/webdata/n/q/7a8fwoym65pts9/vbi3und15xa44wgw/php_upload');





<?php

class Forms_File extends Zend_Form {
	public function __construct($options = null) {
		 parent::__construct($options);
		 // setting Form name, Form action and Form Ecryption type
		 $this->setName('file');
		 /*
		 $this->setAction($this->view->url(
				array(
				'module'	=> Zend_Controller_Front::getInstance()->getRequest()->getParam('module'),
				'controller'=> 'files',
				'action'	=> 'upload',
				'id'		=> Zend_Controller_Front::getInstance()->getRequest()->getParam('id'),
				), $this->routes['crud-action-controller-id'], true)
				);
		 */
		 $this->setAttrib('enctype', 'multipart/form-data');
		 
		 // creating object for Zend_Form_Element_File
		 $doc_file = new Zend_Form_Element_File('file');
		 $doc_file//->setLabel('Document File Path')
				  ->setRequired(true);
	
		 // creating object for submit button
		 $submit = new Zend_Form_Element_Submit('submit');
		 $submit->setLabel('Upload File')
				 ->setAttrib('id', 'submitbutton');
	
		// adding elements to form Object
		$this->addElements(array($doc_file, $submit));
	}
}



<?php echo $this->oForm; ?>








Expected result:
----------------
test( is_uploaded_file($_FILES['file']['tmp_name']) ); => true

Actual result:
--------------
test( is_uploaded_file($_FILES['file']['tmp_name']) ); => false

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-23 02:41 UTC] felipe@php.net
-Package: Security related +Package: Filesystem function related
 [2011-07-31 18:53 UTC] mf_peppa at yahoo dot com 
same problem (mac os lion, php 5.3.6)
 [2011-07-31 19:55 UTC] mf_peppa at yahoo dot com 
oops, my bad - there is no problem with PHP, it's just a programming error - the 
guy who submitted this bug calls $fFile = $oForms_File->getValue('file'), which 
includes a move_uploaded_file() call... that's why the test results are wrong... i 
would recommend closing this bug
 [2012-02-24 19:37 UTC] sixd@php.net
-Status: Open +Status: Not a bug
 [2012-02-24 19:37 UTC] sixd@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Please review the user comments and reopen if you still consider this a problem.
 [2012-02-24 19:42 UTC] robertbasic dot com at gmail dot com 
This is not a PHP bug, but improper usage of the Zend_File_Transfer component from Zend Framework.

In the manual, http://framework.zend.com/manual/en/zend.file.transfer.introduction.html#zend.file.transfer.introduction.informations there's a clear big warning stating that "due to security reasons also the original data within $_FILES will be overridden as soon as Zend_File_Transfer is initiated."
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 11:01:34 2025 UTC