php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #36551 Improve safe_mode file upload compatibility
Submitted: 2006-02-27 21:41 UTC Modified: 2016-12-30 23:37 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: nanovox at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Filesystem function related
PHP Version: 5.1.2 OS: Fedora Core 4/Linux 2.6.14.3
Private report: No CVE-ID: None
 [2006-02-27 21:41 UTC] nanovox at gmail dot com
Description:
------------
Currently the function, move_uploaded_file, works in safe mode, but does not behave as I believe it should.  Neither does the upload_tmp_dir ini system variable.  

As you know PHP runs with the apache permissions.  The problem comes with safe_mode.  When the script limits the use of files based on their group and ownership settings, it causes some problems when you're uploading files.  This is because all files created during an upload are given the apache permissions instead of the script's permissions.  

Another problem is that the upload_tmp_dir variable doesn't work in safe mode.  I've set it to /shared/tmp but php still uses /tmp instead.

I prepose that in php safe_mode, the upload_tmp_dir should be settable (using php_admin_value options in the apache config).  Then all temporary upload files should be created with the group and ownership of the temporary folder. Thus if your upload_tmp_dir folder is owned by johndoe:webgroup the temporary files should also have the same ownership.  As long as the openbase_dir allows access to the temporary directory and the siteroot, move_uploaded_file should be able to transfer files between the two spots and the ownership would remain as that of the script that was run.

I believe this would eliminate the largest problem of safe mode without compromising security.  It would at least save people in a shared environment from the consequences of an open source php program that has to run outside of safe_mode for such reasons.

Without these measures, a php script could not allow you to upload a file and limit access based on the php application's restrictions.  Namely, upload a copyrighted image and only provide access to that image for those who have purchased the image without turning off safe mode and opening up your whole computer to obvious security risks.

Reproduce code:
---------------
- set: php_admin_value safe_mode 1
- set: php_admin_value upload_tmp_dir "/home/johndoe/webtmp"
- upload file using a form (upload to the upload_tmp_dir)
- move_uploaded_file from /home/johndoe/webtmp to other location found in openbase_dir value
- try opening the uploaded file with a php script that has different ownership than that of apache web server.

Expected result:
----------------
File should save to upload_tmp_dir and have ownership of the tmp_dir's folder, even in safe_mode. After moving it, the script should be openable in a php script because the uploaded file should have the same permissions as that of the running script.

Actual result:
--------------
upload_tmp_dir is ignored and file is placed in /tmp folder with owner and group being the same as what the apache web server is running as.  moving the file to johndoe's web directory leaves the ownership as being apache's ownership.  Scripts that use the file can't because they are running with johndoe's permissions while the file is using apache's permissions.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-30 23:37 UTC] cmb@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: Filesystem function related -Assigned To: +Assigned To: cmb
 [2016-12-30 23:37 UTC] cmb@php.net
Safe mode has been removed as of PHP 5.4.0, so this request
irrelevant now.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 19:01:30 2024 UTC