php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28708 move_uploaded_file to no Permission dir make php crash
Submitted: 2004-06-09 09:21 UTC Modified: 2004-11-02 01:00 UTC
Votes:6
Avg. Score:4.2 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:4 (66.7%)
Same OS:2 (33.3%)
From: xuefer at 21cn dot com Assigned: helly (profile)
Status: No Feedback Package: Filesystem function related
PHP Version: 5CVS, 4CVS OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2004-06-09 09:21 UTC] xuefer at 21cn dot com
Description:
------------
move_uploaded_file to NO Permission dir get make crash

in shell: chmod 000 /path/to
in php: move_uploaded_file($_FILES['userfile']['tmp_name'], '/path/to/file.jpg');

crash or show 2 error:
move_uploaded_file(/path/to/file.jpg): failed to open stream: Permission denied
move_uploaded_file(): Unable to move 'pbZ@?Z
' to '@?Z?V,'



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-09 16:14 UTC] iliaa@php.net
Cannot replicate the bug, I get the same error messages, 
however the error correctly displays the filenames 
involved. The error seems to be caused by an unrelated 
memory corruption. 
 [2004-06-10 03:25 UTC] xuefer at 21cn dot com
backtrace:
#0  0x404878fb in zif_move_uploaded_file () from /www/modules/libphp4.so
#1  0x4052b6f8 in execute () from /www/modules/libphp4.so
#2  0x4052b464 in execute () from /www/modules/libphp4.so
#3  0x40515f12 in call_user_function_ex () from /www/modules/libphp4.so
#4  0x40485547 in zif_call_user_func_array () from /www/modules/libphp4.so
#5  0x4052b6f8 in execute () from /www/modules/libphp4.so
#6  0x4052b464 in execute () from /www/modules/libphp4.so
#7  0x4052b464 in execute () from /www/modules/libphp4.so
#8  0x4052b464 in execute () from /www/modules/libphp4.so
#9  0x4052b464 in execute () from /www/modules/libphp4.so
#10 0x4052b464 in execute () from /www/modules/libphp4.so
#11 0x4052b464 in execute () from /www/modules/libphp4.so
#12 0x4052b464 in execute () from /www/modules/libphp4.so
#13 0x4051dacc in zend_execute_scripts () from /www/modules/libphp4.so
#14 0x404f1b6c in php_execute_script () from /www/modules/libphp4.so
#15 0x4053170b in php_handler () from /www/modules/libphp4.so
#16 0x080af7e0 in ap_invoke_handler ()
#17 0x0809164b in ap_process_request ()
#18 0x0808bd2c in ap_process_http_connection ()
#19 0x080bc385 in ap_process_connection ()
#20 0x080af2da in child_main ()
#21 0x080ae144 in make_child ()
#22 0x080ae539 in perform_idle_server_maintenance ()
#23 0x080adaed in ap_mpm_run ()
#24 0x080b56a1 in main ()
#25 0x402b0657 in __libc_start_main (main=0x80b4cd0 <main>, argc=3, 
    ubp_av=0xbffffae4, init=0x806693c <_init>, fini=0x80d5540 <_fini>, 
    rtld_fini=0x4100dc54 <_dl_fini>, stack_end=0xbffffadc)
    at ../sysdeps/generic/libc-start.c:129
 [2004-06-10 16:01 UTC] iliaa@php.net
Are you using thread-safe PHP? Try compiling php with 
--enable-debug, this should produce a more detailed 
backtrace. 
 [2004-06-10 17:06 UTC] xuefer at 21cn dot com
done with CFLAGS="-g"

coredump:

#0  0x404879ab in zif_move_uploaded_file (ht=2, return_value=0x84a5954, 
    this_ptr=0x0, return_value_used=1)
    at /home/oursky/src/php4/ext/standard/basic_functions.c:2821
2821			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to move '%s' to '%s'", Z_STRVAL_PP(path), Z_STRVAL_PP(new_path));

Backtrace:
---------------

#0  0x404879ab in zif_move_uploaded_file (ht=2, return_value=0x84a5954, 
    this_ptr=0x0, return_value_used=1)
    at /home/oursky/src/php4/ext/standard/basic_functions.c:2821
#1  0x4052b828 in execute (op_array=0x85ce660)
    at /home/oursky/src/php4/Zend/zend_execute.c:1635
#2  0x4052b594 in execute (op_array=0x86023f4)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#3  0x40516042 in call_user_function_ex (function_table=0xbfffa0f0, 
    object_pp=0x84a56a8, function_name=0x864641c, retval_ptr_ptr=0xbfff9cec, 
    param_count=4, params=0x84a58cc, no_separation=0, symbol_table=0x0)
    at /home/oursky/src/php4/Zend/zend_execute_API.c:567
#4  0x404855f7 in zif_call_user_func_array (ht=2, return_value=0x84a572c, 
    this_ptr=0x0, return_value_used=1)
    at /home/oursky/src/php4/ext/standard/basic_functions.c:1946
#5  0x4052b828 in execute (op_array=0x85294cc)
    at /home/oursky/src/php4/Zend/zend_execute.c:1635
#6  0x4052b594 in execute (op_array=0x839aa54)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#7  0x4052b594 in execute (op_array=0x85fbed4)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#8  0x4052b594 in execute (op_array=0x85fc08c)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#9  0x4052b594 in execute (op_array=0x8575414)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#10 0x4052b594 in execute (op_array=0x85ec564)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#11 0x4052b594 in execute (op_array=0x831638c)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#12 0x4052b594 in execute (op_array=0x844848c)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#13 0x4051dbfc in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/oursky/src/php4/Zend/zend.c:891
#14 0x404f1c2c in php_execute_script (primary_file=0xbffff680)
    at /home/oursky/src/php4/main/main.c:1731
#15 0x4053183b in php_handler (r=0x863f840)
    at /home/oursky/src/php4/sapi/apache2handler/sapi_apache2.c:561
#16 0x080af7e0 in ap_invoke_handler ()
#17 0x0809164b in ap_process_request ()
#18 0x0808bd2c in ap_process_http_connection ()
#19 0x080bc385 in ap_process_connection ()
#20 0x080af2da in child_main ()
#21 0x080ae144 in make_child ()
#22 0x080ae489 in perform_idle_server_maintenance ()
#23 0x080adaed in ap_mpm_run ()
#24 0x080b56a1 in main ()
#25 0x402b0657 in __libc_start_main (main=0x80b4cd0 <main>, argc=3, 
    ubp_av=0xbffffae4, init=0x806693c <_init>, fini=0x80d5540 <_fini>, 
    rtld_fini=0x4100dc54 <_dl_fini>, stack_end=0xbffffadc)
    at ../sysdeps/generic/libc-start.c:129

Php dump:
---------------

"common.function_name: "$1 = 0x40572a5c "move_uploaded_file"
 [2004-07-06 16:05 UTC] sniper@php.net
Marcus, this is once again one of those weird bugs caused by your docref crap.

 [2004-10-25 09:39 UTC] helly@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2004-11-02 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2005-11-17 14:32 UTC] arun_ri2003 at rediffmail dot com
I can't get the file uploader to work. This is the error I get:
Warning: move_uploaded_file(../img/mainpict.jpg) [function.move-uploaded-file]: failed to open stream: Permission denied in /usr/local/share/doc/vhost/privatebazaar.com/httpdocs/property/editpropimg.php on line 50

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/users/privatebazaar.com/tmp/phpI5aoQZ' to '../img/mainpict.jpg' in /usr/local/share/doc/vhost/privatebazaar.com/httpdocs/property/editpropimg.php on line 50
 [2005-11-17 14:37 UTC] arun_ri2003 at rediffmail dot com
Hi,
I also get this problem plz help us.If you have any solution then report us 

Thanks
Arun Goyal
 [2007-10-11 17:27 UTC] ayo at p-ims dot co dot uk
When on a virtual server with apache2handler loaded, apache becomes the user / owner of the file and does not have permissions to the directory.  get_current_user() does not report the file owner but the script owner.

How can this be solved?  Making the target directory writable by the world revealed this bug.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Nov 15 04:01:34 2019 UTC