Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Hello,

here is working code that demonstrates described bug. I append some configuration that may be interesting for you.

Configuration:
Safe mode: off
$_SERVER[SCRIPT_FILENAME]: /var/www/web/tuzemsko/krtek/admin/gallery_test.php
real path of the script: /home/chroot/home/krtek/web/tuzemsko/www/admin/gallery_test.php

/var/www/web/tuzemsko/krtek is a symbolic link to /home/chroot/home/krtek/web/tuzemsko/www/.

httpd.conf:
<Directory "/var/www/web/tuzemsko/krtek">
        php_admin_value upload_tmp_dir /home/chroot/tmp/
        php_admin_value open_basedir /var/www/web/tuzemsko/krtek/:/home/chroot/tmp/:/home/chroot/home/krtek/web/
</Directory>

Directory /home/chroot/home/krtek/web/tuzemsko/tmp/ has 0777 permissions.

-------------------------------------------------------

Script:
<?php

// *************** UPLOAD FOTKY ***************
if ($_REQUEST['load_pic']) {

        $name = 'galerie_'.$_FILES['soubor']['name'];
        $path = '../../tmp/'.$name;

        echo 'uploaded: '.$_FILES['soubor']['tmp_name'].' = '.(int)file_exists($_FILES['soubor']['tmp_name']);
        $res = move_uploaded_file($_FILES['soubor']['tmp_name'], $path);
        echo ' moved: '.$path.' = '.(int)file_exists($path);

}
// *************** UPLOAD FOTKY KONEC ***************

echo '
<form action="'.$_SERVER['PHP_SELF'].'" method="post" enctype="multipart/form-data">
        <input type="hidden" name="MAX_FILE_SIZE" value="200000" />
        <input type="file" name="soubor" />
        <input type="submit" value="Save" />
        <input type="hidden" name="load_pic" value="true" />
</form>
      ';
?>

Everything worked fine with 5.1.2 version.

Cannot reproduce.
Fix your symlinks pointing to and out chroots.

Hello,

I don't know, what to fix. I can use the same configuration, the same symlinks, the same script and when I change the name of the target directory (e.g. ../../tmp/test/ or ../../temp/) everything works fine without problems. I don't think the problem is in the symlinks. Even if I create symlink for "tmp" named "temp" and I use "../../temp" path instead "../../tmp" path, it works fine.

I'm totally lost in your paths, "/home/chroot/home/krtek/web/tuzemsko/tmp/", which is actually "/var/www/web/tuzemsko/krtek/web/tuzemsko/tmp" is a bit hard to read and recreate.
Please provide simple and clear directory structure I need to create in order to reproduce it.
For example:
/www/tmp - upload dir
/www - scripts dir
etc. etc.

OK, sorry for inconvenience. I created in my DocumentRoot (/var/www/web/) directories "bug_test" and "tmp" (both 0777 permissions). No symlinks are used! Then I placed script gallery_test.php (see my post from [19 Feb 12:26pm UTC]) into the bug_test directory. That's all. Script behaviour matches the described bug.

uploaded: /www/tmp/phpweyhUK = 1 
moved: ../tmp/galerie_DSCF6801_resize.JPG = 1

Works perfectly fine.

Addition to [26 Feb 3:23pm UTC]: please change the line 7 in script - use "$path = '../tmp/'.$name;" instead of "$path = '../../tmp/'.$name;"

Somehow I figured that out myself, thanks.
Please remove open_basedir and see if it makes any difference.

There are no open_basedir (or any other) restrictions for /var/www/web or var/www/web/bug_test.

Please, could you look at this page (https://bug_test.devel.gtspartner.cz/index.php)? It contains my script and phpinfo() output. Maybe, my problem is not in PHP. Should it be somewhere else? E.g. in Apache or Linux? I turned SELinux off.

Add error_reporting(E_ALL | E_STRICT) to the beginning of the script.

>I turned SELinux off.
See if `ls -Z` works for you.

Error reporting added.

[stloukad@shaman web]$ ls -Z
drwxrwxrwx  root     root                                     bug_test
drwxrwxrwx  root     root                                      tmp

"ls -Z" can only work if SELinux is enabled, so you did not turn it off.

Now it is really turned off.

[root@shaman web]# cat /etc/sysconfig/selinux
SELINUX=Disabled

It unfortunately doesn't affect described behaviour.

>Now it is really turned off.
ls -Z ?

ls -Z gives the same output as previous. But I think SELinux is disabled:

[root@shaman web]# id -Z
Sorry, --context (-Z) can be used only on a selinux-enabled kernel.

I added also selinux=0 into grub.conf on the kernel booting line and restarted computer.

I can't reproduce it.
You can try to trace it with GDB (don't forget to rebuild PHP with --enable-debug in this case).

I started apache (2.2.4, --with-mpm=worker) in debug mode and described bug disappeared. In standard mode is bug still present. May be it is a bug in Apache??

What do you mean by "standard mode"?

I mean starting apache without -X switch. I am using:
/usr/local/apache2/bin/apachectl start

What if you change MPM to "prefork" ?

With "prefork" without problems!!

I was testing it with Apache 2.2.4 *worker*.
So I'm still unable to reproduce it.

I recompiled Apache with "worker" again (and PHP too) and I have the same problem again. Here are some configs:

[root@shaman php-5.2.1]# cat config.nice
#! /bin/sh
#
# Created by configure

'./configure' \
'--prefix=/usr/local/php5' \
'--with-config-file-path=/etc/' \
'--enable-magic-quotes' \
'--with-apxs2=/usr/local/apache2/bin/apxs' \
'--enable-safe-mode' \
'--enable-debug' \
'--with-openssl=/usr/local/' \
'--with-zlib' \
'--enable-bcmath' \
'--enable-calendar' \
'--with-curl' \
'--enable-ftp' \
'--enable-exif' \
'--with-gd' \
'--enable-gd-native-ttf' \
'--with-jpeg-dir=/usr/local/' \
'--with-png-dir=/usr/local/' \
'--with-freetype-dir' \
'--with-imap' \
'--with-imap-ssl' \
'--with-gettext' \
'--with-zlib=/usr/local/' \
'--with-mcrypt=/usr/local/' \
'--with-mhash=/usr/local/' \
'--with-mysqli=/usr/local/mysql/bin/mysql_config' \
'--with-iodbc=/usr/local' \
'--with-pdo-mysql=/usr/local/mysql' \
'--with-pdo-pgsql=/usr/local/pgsql/bin/pg_config' \
'--with-pgsql=/usr/local/pgsql/bin/pg_config' \
'--enable-soap' \
'--enable-sockets' \
'--without-sqlite' \
'--enable-wddx' \
'--enable-zip' \
'--with-pear' \
'--with-zend-vm' \
'--enable-zend-multibyte' \
'--with-kerberos' \
'--with-mysql=/usr/local/mysql' \
'--with-iconv=/usr/local' \
"$@"


[root@shaman httpd-2.2.4]# cat config.nice
#! /bin/sh
#
# Created by configure

"./configure" \
"--enable-auth-digest" \
"--enable-proxy" \
"--enable-proxy-connect" \
"--enable-proxy-ftp" \
"--enable-proxy-http" \
"--enable-proxy-balancer" \
"--enable-ssl" \
"--enable-log-forensic" \
"--enable-static-htpasswd" \
"--disable-cgi" \
"--enable-so" \
"--enable-rewrite" \
"--with-included-apr" \
"--with-ssl=/usr/local" \
"--with-mpm=worker" \
"$@"

[root@shaman httpd-2.2.4]# uname -a
Linux shaman 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 athlon i386 GNU/Linux

Please remove all configure options not required to reproduce it.
--disable-all --with-apxs2=.. is a good start.

So I compiled PHP with options:

[stloukad@shaman php-5.2.1]$ cat config.nice
#! /bin/sh
#
# Created by configure

'./configure' \
'--prefix=/usr/local/php5' \
'--with-config-file-path=/etc/' \
'--with-apxs2=/usr/local/apache2/bin/apxs' \
'--disable-all' \
"$@"

and Apache:
[stloukad@shaman httpd-2.2.4]$ cat config.nice
#! /bin/sh
#
# Created by configure

"./configure" \
"--enable-ssl" \
"--enable-static-htpasswd" \
"--disable-cgi" \
"--enable-so" \
"--enable-rewrite" \
"--with-included-apr" \
"--with-ssl=/usr/local" \
"--with-mpm=worker" \
"$@"

...and still the same behaviour. But with "--with-mpm=prefork" instead of "--with-mpm=worker" it works fine.

When I start Apache (with worker module) with "-X" option (e.g. [root@shaman bin]# ./apachectl -X -f /etc/httpd/conf/httpd.conf -k start), upload works fine too.

I can read files from the "tmp" when I access via URL (e.g. http://my.address.com/tmp/myfile.jpg).

The same behaviour on another computer:

[root@colonel web]# id -Z
Sorry, --context (-Z) can be used only on a selinux-enabled kernel.
[root@colonel web]# uname -a
Linux colonel 2.6.18-1.2200.fc5smp #1 SMP Sat Oct 14 17:15:35 EDT 2006 i686 i686 i386 GNU/Linux

And next computer with described behaviour:

[root@krtek tmp]#  id -Z
Sorry, --context (-Z) can be used only on a selinux-enabled kernel.
[root@krtek tmp]# uname -a
Linux krtek 2.6.19-1.2911.fc6 #1 SMP Sat Feb 10 15:51:47 EST 2007 i686 athlon i386 GNU/Linux

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

hello 
    m using his code to move a file from temp folder to targe folder
  its running successfully on local host but not working on free hosting server can any one help me in giving a valid path for moving file. 




if(!move_uploaded_file($_FILES["file"]["tmp_name"],"/upload/".$_FILES["file"]["name"] ))
  {
  echo "file can not be moved";
  }
  else
  {
  echo "file moved";
  }
  
  }