php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28708 move_uploaded_file to no Permission dir make php crash
Submitted: 2004-06-09 09:21 UTC Modified: 2004-11-02 01:00 UTC
Votes:6
Avg. Score:4.2 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:4 (66.7%)
Same OS:2 (33.3%)
From: xuefer at 21cn dot com Assigned: helly (profile)
Status: No Feedback Package: Filesystem function related
PHP Version: 5CVS, 4CVS OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: xuefer at 21cn dot com
New email:
PHP Version: OS:

 

 [2004-06-09 09:21 UTC] xuefer at 21cn dot com
Description:
------------
move_uploaded_file to NO Permission dir get make crash

in shell: chmod 000 /path/to
in php: move_uploaded_file($_FILES['userfile']['tmp_name'], '/path/to/file.jpg');

crash or show 2 error:
move_uploaded_file(/path/to/file.jpg): failed to open stream: Permission denied
move_uploaded_file(): Unable to move 'pbZ@?Z
' to '@?Z?V,'



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-09 16:14 UTC] iliaa@php.net
Cannot replicate the bug, I get the same error messages, 
however the error correctly displays the filenames 
involved. The error seems to be caused by an unrelated 
memory corruption. 
 [2004-06-10 03:25 UTC] xuefer at 21cn dot com
backtrace:
#0  0x404878fb in zif_move_uploaded_file () from /www/modules/libphp4.so
#1  0x4052b6f8 in execute () from /www/modules/libphp4.so
#2  0x4052b464 in execute () from /www/modules/libphp4.so
#3  0x40515f12 in call_user_function_ex () from /www/modules/libphp4.so
#4  0x40485547 in zif_call_user_func_array () from /www/modules/libphp4.so
#5  0x4052b6f8 in execute () from /www/modules/libphp4.so
#6  0x4052b464 in execute () from /www/modules/libphp4.so
#7  0x4052b464 in execute () from /www/modules/libphp4.so
#8  0x4052b464 in execute () from /www/modules/libphp4.so
#9  0x4052b464 in execute () from /www/modules/libphp4.so
#10 0x4052b464 in execute () from /www/modules/libphp4.so
#11 0x4052b464 in execute () from /www/modules/libphp4.so
#12 0x4052b464 in execute () from /www/modules/libphp4.so
#13 0x4051dacc in zend_execute_scripts () from /www/modules/libphp4.so
#14 0x404f1b6c in php_execute_script () from /www/modules/libphp4.so
#15 0x4053170b in php_handler () from /www/modules/libphp4.so
#16 0x080af7e0 in ap_invoke_handler ()
#17 0x0809164b in ap_process_request ()
#18 0x0808bd2c in ap_process_http_connection ()
#19 0x080bc385 in ap_process_connection ()
#20 0x080af2da in child_main ()
#21 0x080ae144 in make_child ()
#22 0x080ae539 in perform_idle_server_maintenance ()
#23 0x080adaed in ap_mpm_run ()
#24 0x080b56a1 in main ()
#25 0x402b0657 in __libc_start_main (main=0x80b4cd0 <main>, argc=3, 
    ubp_av=0xbffffae4, init=0x806693c <_init>, fini=0x80d5540 <_fini>, 
    rtld_fini=0x4100dc54 <_dl_fini>, stack_end=0xbffffadc)
    at ../sysdeps/generic/libc-start.c:129
 [2004-06-10 16:01 UTC] iliaa@php.net
Are you using thread-safe PHP? Try compiling php with 
--enable-debug, this should produce a more detailed 
backtrace. 
 [2004-06-10 17:06 UTC] xuefer at 21cn dot com
done with CFLAGS="-g"

coredump:

#0  0x404879ab in zif_move_uploaded_file (ht=2, return_value=0x84a5954, 
    this_ptr=0x0, return_value_used=1)
    at /home/oursky/src/php4/ext/standard/basic_functions.c:2821
2821			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to move '%s' to '%s'", Z_STRVAL_PP(path), Z_STRVAL_PP(new_path));

Backtrace:
---------------

#0  0x404879ab in zif_move_uploaded_file (ht=2, return_value=0x84a5954, 
    this_ptr=0x0, return_value_used=1)
    at /home/oursky/src/php4/ext/standard/basic_functions.c:2821
#1  0x4052b828 in execute (op_array=0x85ce660)
    at /home/oursky/src/php4/Zend/zend_execute.c:1635
#2  0x4052b594 in execute (op_array=0x86023f4)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#3  0x40516042 in call_user_function_ex (function_table=0xbfffa0f0, 
    object_pp=0x84a56a8, function_name=0x864641c, retval_ptr_ptr=0xbfff9cec, 
    param_count=4, params=0x84a58cc, no_separation=0, symbol_table=0x0)
    at /home/oursky/src/php4/Zend/zend_execute_API.c:567
#4  0x404855f7 in zif_call_user_func_array (ht=2, return_value=0x84a572c, 
    this_ptr=0x0, return_value_used=1)
    at /home/oursky/src/php4/ext/standard/basic_functions.c:1946
#5  0x4052b828 in execute (op_array=0x85294cc)
    at /home/oursky/src/php4/Zend/zend_execute.c:1635
#6  0x4052b594 in execute (op_array=0x839aa54)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#7  0x4052b594 in execute (op_array=0x85fbed4)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#8  0x4052b594 in execute (op_array=0x85fc08c)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#9  0x4052b594 in execute (op_array=0x8575414)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#10 0x4052b594 in execute (op_array=0x85ec564)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#11 0x4052b594 in execute (op_array=0x831638c)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#12 0x4052b594 in execute (op_array=0x844848c)
    at /home/oursky/src/php4/Zend/zend_execute.c:1679
#13 0x4051dbfc in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/oursky/src/php4/Zend/zend.c:891
#14 0x404f1c2c in php_execute_script (primary_file=0xbffff680)
    at /home/oursky/src/php4/main/main.c:1731
#15 0x4053183b in php_handler (r=0x863f840)
    at /home/oursky/src/php4/sapi/apache2handler/sapi_apache2.c:561
#16 0x080af7e0 in ap_invoke_handler ()
#17 0x0809164b in ap_process_request ()
#18 0x0808bd2c in ap_process_http_connection ()
#19 0x080bc385 in ap_process_connection ()
#20 0x080af2da in child_main ()
#21 0x080ae144 in make_child ()
#22 0x080ae489 in perform_idle_server_maintenance ()
#23 0x080adaed in ap_mpm_run ()
#24 0x080b56a1 in main ()
#25 0x402b0657 in __libc_start_main (main=0x80b4cd0 <main>, argc=3, 
    ubp_av=0xbffffae4, init=0x806693c <_init>, fini=0x80d5540 <_fini>, 
    rtld_fini=0x4100dc54 <_dl_fini>, stack_end=0xbffffadc)
    at ../sysdeps/generic/libc-start.c:129

Php dump:
---------------

"common.function_name: "$1 = 0x40572a5c "move_uploaded_file"
 [2004-07-06 16:05 UTC] sniper@php.net
Marcus, this is once again one of those weird bugs caused by your docref crap.

 [2004-10-25 09:39 UTC] helly@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2004-11-02 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2005-11-17 14:32 UTC] arun_ri2003 at rediffmail dot com
I can't get the file uploader to work. This is the error I get:
Warning: move_uploaded_file(../img/mainpict.jpg) [function.move-uploaded-file]: failed to open stream: Permission denied in /usr/local/share/doc/vhost/privatebazaar.com/httpdocs/property/editpropimg.php on line 50

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/users/privatebazaar.com/tmp/phpI5aoQZ' to '../img/mainpict.jpg' in /usr/local/share/doc/vhost/privatebazaar.com/httpdocs/property/editpropimg.php on line 50
 [2005-11-17 14:37 UTC] arun_ri2003 at rediffmail dot com
Hi,
I also get this problem plz help us.If you have any solution then report us 

Thanks
Arun Goyal
 [2007-10-11 17:27 UTC] ayo at p-ims dot co dot uk
When on a virtual server with apache2handler loaded, apache becomes the user / owner of the file and does not have permissions to the directory.  get_current_user() does not report the file owner but the script owner.

How can this be solved?  Making the target directory writable by the world revealed this bug.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 03 12:01:28 2024 UTC