PHP :: Bug #15928 :: move_uploaded_file() is unsafe running in safe-mode

Bug #15928	move_uploaded_file() is unsafe running in safe-mode
Submitted:	2002-03-07 06:15 UTC	Modified:	2002-03-19 03:18 UTC
From:	webmaster at unizh dot ch	Assigned:
Status:	Closed	Package:	PHP options/info functions
PHP Version:	4.1.2	OS:	AIX
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	webmaster at unizh dot ch
New email:
PHP Version:		OS:

New Comment:

[2002-03-07 06:15 UTC] webmaster at unizh dot ch

Security issue in move_uploaded_file() while in safe-mode

We have different web-sites running on our server. Each of them
may prepare a directory in which files may be written using php-upload
and move_uploaded_file(). Our webserver runs with safe-mode-restriction.

The documentations says, as mentioned, that this is not unsafe.

Note: move_uploaded_file() is not affected by the normal
                       safe-mode UID-restrictions. This is not unsafe because
                       move_uploaded_file() only operates on files uploaded via PHP. 

In fact, it is. If I know a directory of another website which
allows to upload files via php, I'll be able to write a file to this location,
offering an upload-script on my website. I could on this way put
offending files in someone elses website, who probably protectet his
php-upload-script with .htaccess.

I would suggest that move_uploaded_file() should be modified that
way, that files may only be moved to directories whose owner is the
same as the upload-script while safe-mode restriction applies. 
This approach would guarantee that nobody else as the people who 
offers an upload-script will be able to put files in the owners webspace. 

After such a modification move_uploaded_file() will be really safe. At
present, it's not. It allows to skip safe-mode-restriction.

Kind regards and thanks for any feedback

Roberto

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-17 12:35 UTC] sander@php.net

This is already implemented.

[2002-03-19 03:04 UTC] webmaster at unizh dot ch

Sorry, but in fact the bug still persists in php 4.1.2
a php script owned by uid=xxx is able to upload
files to a directory owned by uid=yyy in safe_mode.
Please reopen this bug.

[2002-03-19 03:07 UTC] derick@php.net

I think Sander meant it's fixed in CVS. Can you try a snapshot from snaps.php.net, or wait for 4.2.0RC1, which will be rolled tomorrow?

Derick

[2002-03-19 03:16 UTC] webmaster at unizh dot ch

Sorry, since we were running php 4.1.1 still yesterday
I was not aware that Sander meant that the bug was
fixed in CVS. Since you announced the new release
for tomorrow, I'll wait and try it out.

Thanks Roberto

[2002-03-19 03:18 UTC] derick@php.net

I didn't say "release" but RC, which means "release candidate".

Derick

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 03 11:01:34 2025 UTC