|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40537 move_uploaded_file - target directory's name problem
Submitted: 2007-02-19 01:13 UTC Modified: 2007-05-04 01:00 UTC
Avg. Score:3.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: stloukal at programator dot cz Assigned:
Status: No Feedback Package: Filesystem function related
PHP Version: 5.2.1 OS: FC4, 2.6.17
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-02-19 01:13 UTC] stloukal at programator dot cz

I have a problem with move_uploaded_file() function which doesn't move the uploaded file. No errors or warnings are thrown, only false is returned. Problem occurs only if target directory is RELATIVELY addressed and it is named "tmp".

It seems, that this is the same problem:

Reproduce code:
$path = '../../tmp/'.$_FILES['soubor']['name']; // this is not the system tmp directory

echo 'uploaded: '.$_FILES['soubor']['tmp_name'].' = '.(int)file_exists($_FILES['soubor']['tmp_name']);

move_uploaded_file($_FILES['soubor']['tmp_name'], $path);

echo ' moved: '.$path.' = '.(int)file_exists($path);

Expected result:
uploaded: /home/chroot/tmp/phpcLIB4C = 1 
moved: ../../tmp/galerie_2001_image001jpg.jpg = 1

Actual result:
uploaded: /home/chroot/tmp/phpcLIB4C = 1 
moved: ../../tmp/galerie_2001_image001jpg.jpg = 0


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-19 10:01 UTC]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

 [2007-02-19 12:26 UTC] stloukal at programator dot cz

here is working code that demonstrates described bug. I append some configuration that may be interesting for you.

Safe mode: off
$_SERVER[SCRIPT_FILENAME]: /var/www/web/tuzemsko/krtek/admin/gallery_test.php
real path of the script: /home/chroot/home/krtek/web/tuzemsko/www/admin/gallery_test.php

/var/www/web/tuzemsko/krtek is a symbolic link to /home/chroot/home/krtek/web/tuzemsko/www/.

<Directory "/var/www/web/tuzemsko/krtek">
        php_admin_value upload_tmp_dir /home/chroot/tmp/
        php_admin_value open_basedir /var/www/web/tuzemsko/krtek/:/home/chroot/tmp/:/home/chroot/home/krtek/web/

Directory /home/chroot/home/krtek/web/tuzemsko/tmp/ has 0777 permissions.



// *************** UPLOAD FOTKY ***************
if ($_REQUEST['load_pic']) {

        $name = 'galerie_'.$_FILES['soubor']['name'];
        $path = '../../tmp/'.$name;

        echo 'uploaded: '.$_FILES['soubor']['tmp_name'].' = '.(int)file_exists($_FILES['soubor']['tmp_name']);
        $res = move_uploaded_file($_FILES['soubor']['tmp_name'], $path);
        echo ' moved: '.$path.' = '.(int)file_exists($path);

// *************** UPLOAD FOTKY KONEC ***************

echo '
<form action="'.$_SERVER['PHP_SELF'].'" method="post" enctype="multipart/form-data">
        <input type="hidden" name="MAX_FILE_SIZE" value="200000" />
        <input type="file" name="soubor" />
        <input type="submit" value="Save" />
        <input type="hidden" name="load_pic" value="true" />

Everything worked fine with 5.1.2 version.
 [2007-02-26 09:53 UTC]
Cannot reproduce.
Fix your symlinks pointing to and out chroots.
 [2007-02-26 12:42 UTC] stloukal at programator dot cz

I don't know, what to fix. I can use the same configuration, the same symlinks, the same script and when I change the name of the target directory (e.g. ../../tmp/test/ or ../../temp/) everything works fine without problems. I don't think the problem is in the symlinks. Even if I create symlink for "tmp" named "temp" and I use "../../temp" path instead "../../tmp" path, it works fine.
 [2007-02-26 12:53 UTC]
I'm totally lost in your paths, "/home/chroot/home/krtek/web/tuzemsko/tmp/", which is actually "/var/www/web/tuzemsko/krtek/web/tuzemsko/tmp" is a bit hard to read and recreate.
Please provide simple and clear directory structure I need to create in order to reproduce it.
For example:
/www/tmp - upload dir
/www - scripts dir
etc. etc.
 [2007-02-26 15:23 UTC] stloukal at programator dot cz
OK, sorry for inconvenience. I created in my DocumentRoot (/var/www/web/) directories "bug_test" and "tmp" (both 0777 permissions). No symlinks are used! Then I placed script gallery_test.php (see my post from [19 Feb 12:26pm UTC]) into the bug_test directory. That's all. Script behaviour matches the described bug.
 [2007-02-26 15:28 UTC]
uploaded: /www/tmp/phpweyhUK = 1 
moved: ../tmp/galerie_DSCF6801_resize.JPG = 1

Works perfectly fine.
 [2007-02-26 15:28 UTC] stloukal at programator dot cz
Addition to [26 Feb 3:23pm UTC]: please change the line 7 in script - use "$path = '../tmp/'.$name;" instead of "$path = '../../tmp/'.$name;"
 [2007-02-26 15:30 UTC]
Somehow I figured that out myself, thanks.
Please remove open_basedir and see if it makes any difference.
 [2007-02-26 15:44 UTC] stloukal at programator dot cz
There are no open_basedir (or any other) restrictions for /var/www/web or var/www/web/bug_test.

Please, could you look at this page ( It contains my script and phpinfo() output. Maybe, my problem is not in PHP. Should it be somewhere else? E.g. in Apache or Linux? I turned SELinux off.
 [2007-02-26 15:49 UTC]
Add error_reporting(E_ALL | E_STRICT) to the beginning of the script.

>I turned SELinux off.
See if `ls -Z` works for you.
 [2007-02-26 15:57 UTC] stloukal at programator dot cz
Error reporting added.

[stloukad@shaman web]$ ls -Z
drwxrwxrwx  root     root                                     bug_test
drwxrwxrwx  root     root                                      tmp
 [2007-02-26 16:01 UTC]
"ls -Z" can only work if SELinux is enabled, so you did not turn it off.

 [2007-02-26 16:46 UTC] stloukal at programator dot cz
Now it is really turned off.

[root@shaman web]# cat /etc/sysconfig/selinux

It unfortunately doesn't affect described behaviour.
 [2007-02-26 16:51 UTC]
>Now it is really turned off.
ls -Z ?
 [2007-02-26 17:40 UTC] stloukal at programator dot cz
ls -Z gives the same output as previous. But I think SELinux is disabled:

[root@shaman web]# id -Z
Sorry, --context (-Z) can be used only on a selinux-enabled kernel.

I added also selinux=0 into grub.conf on the kernel booting line and restarted computer.
 [2007-02-26 18:56 UTC]
I can't reproduce it.
You can try to trace it with GDB (don't forget to rebuild PHP with --enable-debug in this case).
 [2007-03-01 14:18 UTC] stloukal at programator dot cz
I started apache (2.2.4, --with-mpm=worker) in debug mode and described bug disappeared. In standard mode is bug still present. May be it is a bug in Apache??
 [2007-03-01 14:21 UTC]
What do you mean by "standard mode"?
 [2007-03-01 14:23 UTC] stloukal at programator dot cz
I mean starting apache without -X switch. I am using:
/usr/local/apache2/bin/apachectl start
 [2007-03-01 14:40 UTC]
What if you change MPM to "prefork" ?
 [2007-03-02 02:01 UTC] stloukal at programator dot cz
With "prefork" without problems!!
 [2007-03-06 12:03 UTC]
I was testing it with Apache 2.2.4 *worker*.
So I'm still unable to reproduce it.
 [2007-03-06 17:09 UTC] stloukal at programator dot cz
I recompiled Apache with "worker" again (and PHP too) and I have the same problem again. Here are some configs:

[root@shaman php-5.2.1]# cat config.nice
#! /bin/sh
# Created by configure

'./configure' \
'--prefix=/usr/local/php5' \
'--with-config-file-path=/etc/' \
'--enable-magic-quotes' \
'--with-apxs2=/usr/local/apache2/bin/apxs' \
'--enable-safe-mode' \
'--enable-debug' \
'--with-openssl=/usr/local/' \
'--with-zlib' \
'--enable-bcmath' \
'--enable-calendar' \
'--with-curl' \
'--enable-ftp' \
'--enable-exif' \
'--with-gd' \
'--enable-gd-native-ttf' \
'--with-jpeg-dir=/usr/local/' \
'--with-png-dir=/usr/local/' \
'--with-freetype-dir' \
'--with-imap' \
'--with-imap-ssl' \
'--with-gettext' \
'--with-zlib=/usr/local/' \
'--with-mcrypt=/usr/local/' \
'--with-mhash=/usr/local/' \
'--with-mysqli=/usr/local/mysql/bin/mysql_config' \
'--with-iodbc=/usr/local' \
'--with-pdo-mysql=/usr/local/mysql' \
'--with-pdo-pgsql=/usr/local/pgsql/bin/pg_config' \
'--with-pgsql=/usr/local/pgsql/bin/pg_config' \
'--enable-soap' \
'--enable-sockets' \
'--without-sqlite' \
'--enable-wddx' \
'--enable-zip' \
'--with-pear' \
'--with-zend-vm' \
'--enable-zend-multibyte' \
'--with-kerberos' \
'--with-mysql=/usr/local/mysql' \
'--with-iconv=/usr/local' \

[root@shaman httpd-2.2.4]# cat config.nice
#! /bin/sh
# Created by configure

"./configure" \
"--enable-auth-digest" \
"--enable-proxy" \
"--enable-proxy-connect" \
"--enable-proxy-ftp" \
"--enable-proxy-http" \
"--enable-proxy-balancer" \
"--enable-ssl" \
"--enable-log-forensic" \
"--enable-static-htpasswd" \
"--disable-cgi" \
"--enable-so" \
"--enable-rewrite" \
"--with-included-apr" \
"--with-ssl=/usr/local" \
"--with-mpm=worker" \

[root@shaman httpd-2.2.4]# uname -a
Linux shaman 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 athlon i386 GNU/Linux
 [2007-03-06 17:40 UTC]
Please remove all configure options not required to reproduce it.
--disable-all --with-apxs2=.. is a good start.
 [2007-03-07 08:31 UTC] stloukal at programator dot cz
So I compiled PHP with options:

[stloukad@shaman php-5.2.1]$ cat config.nice
#! /bin/sh
# Created by configure

'./configure' \
'--prefix=/usr/local/php5' \
'--with-config-file-path=/etc/' \
'--with-apxs2=/usr/local/apache2/bin/apxs' \
'--disable-all' \

and Apache:
[stloukad@shaman httpd-2.2.4]$ cat config.nice
#! /bin/sh
# Created by configure

"./configure" \
"--enable-ssl" \
"--enable-static-htpasswd" \
"--disable-cgi" \
"--enable-so" \
"--enable-rewrite" \
"--with-included-apr" \
"--with-ssl=/usr/local" \
"--with-mpm=worker" \

...and still the same behaviour. But with "--with-mpm=prefork" instead of "--with-mpm=worker" it works fine.

When I start Apache (with worker module) with "-X" option (e.g. [root@shaman bin]# ./apachectl -X -f /etc/httpd/conf/httpd.conf -k start), upload works fine too.

I can read files from the "tmp" when I access via URL (e.g.
 [2007-03-08 11:49 UTC] stloukal at programator dot cz
The same behaviour on another computer:

[root@colonel web]# id -Z
Sorry, --context (-Z) can be used only on a selinux-enabled kernel.
[root@colonel web]# uname -a
Linux colonel 2.6.18-1.2200.fc5smp #1 SMP Sat Oct 14 17:15:35 EDT 2006 i686 i686 i386 GNU/Linux
 [2007-03-08 18:27 UTC] stloukal at programator dot cz
And next computer with described behaviour:

[root@krtek tmp]#  id -Z
Sorry, --context (-Z) can be used only on a selinux-enabled kernel.
[root@krtek tmp]# uname -a
Linux krtek 2.6.19-1.2911.fc6 #1 SMP Sat Feb 10 15:51:47 EST 2007 i686 athlon i386 GNU/Linux
 [2007-04-26 09:24 UTC]
Please try using this CVS snapshot:
For Windows:

 [2007-05-04 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-02-25 07:31 UTC] pallenzine12 at gmail dot com
    m using his code to move a file from temp folder to targe folder
  its running successfully on local host but not working on free hosting server can any one help me in giving a valid path for moving file. 

if(!move_uploaded_file($_FILES["file"]["tmp_name"],"/upload/".$_FILES["file"]["name"] ))
  echo "file can not be moved";
  echo "file moved";
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Jan 19 06:01:23 2021 UTC