php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41824 move_uploaded_file open_basedir problem
Submitted: 2007-06-27 14:16 UTC Modified: 2008-07-11 21:27 UTC
Votes:16
Avg. Score:4.0 ± 0.9
Reproduced:14 of 14 (100.0%)
Same Version:6 (42.9%)
Same OS:4 (28.6%)
From: mueller at intertrend dot de Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 4.4.7 OS: SUSE LINUX 10.0
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-06-27 14:16 UTC] mueller at intertrend dot de
Description:
------------
move_uploaded_file() does not work if open_basedir is set.

settings in php.ini:
file_uploads = On
upload_tmp_dir = /tmp

settings in httpd.conf:
php_admin_value open_basedir /www/com/servername

tmp-dir and destination-dir are on the same filesystem.

Reproduce code:
---------------
$uploaddir = '/www/com/servername';
$uploadfile = $uploaddir . basename($_FILES['userfile']['tmp_name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";


Expected result:
----------------
File is valid, and was successfully uploaded.

Actual result:
--------------
Warning:  move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/php5bwW9n) is not within the allowed path(s): (/www/com/servername) in /www/com/servername/test.php on line 9



Warning:  move_uploaded_file(/tmp/php5bwW9n) [function.move-uploaded-file]: failed to open stream: Operation not permitted in /www/com/servername/test.php on line 9



Warning:  move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/php5bwW9n' to '/www/com/servername/php5bwW9n' in /www/com/servername/test.php on line 9

Possible file upload attack!
Here is some more debugging info:Array
(
    [userfile] => Array
        (
            [name] => Neu Textdokument (2).txt
            [type] => text/plain
            [tmp_name] => /tmp/php5bwW9n
            [error] => 0
            [size] => 1500
        )

)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-08 09:45 UTC] gkieffer at evolutive dot org
Hi,

I have the same behavior (that contradicts the documentation): source argument of move_uploaded_file() is checked against open_basedir.

As requested by 'tony2001@php.net', I've tried the latest PHP4 snapshot (php4-STABLE-200710080830) and the open_basedir restriction is still enforced on the source parameter of move_uploaded_file.

4.4.8-dev (snapshot): KO
4.4.7 : KO
4.4.6 : KO
4.4.5 : KO
4.4.3 : KO
4.4.2 : OK
4.4.1 : (I assume, I haven't tested it)
4.4.0 : OK

Here's some extra info about my environment:
Linux Debian Sarge
Apache 2.0.59 (compiled, not a Debian pkg)
PHP 4.4.x compiled as a module for Apache 2.0.59

upload_tmp_dir = /var/run/php-file-uploads

open_basedir = /wrk1/htdocssds/site.fqdn/

/var and /wrk1 are different (ext3) filesystems.

destination dir of move_uploaded_file() is /wrk1/htdocssds/site.fqdn/backoffice/photo_gest/

If I add '/var/run/php-file-uploads/' to open_basedir everything works fine but this is not the expected behavior.

Hope it helps !

Bye,
G.
 [2007-10-08 12:18 UTC] gkieffer at evolutive dot org
Hi,

After some investigation, here's what I've found.

move_uploaded_file() makes use of the internal PHP function php_copy_file() when source file and destination file are not on the same filesystem (rename() works only on a single FS).

php_copy_file() changed from version 4.4.2 to 4.4.3:

# diff -u php-4.4.2/ext/standard/file.c php-4.4.3/ext/standard/file.c
[ ... discarded some stuff ...]
@@ -2196,7 +2201,7 @@
 safe_to_copy:

        srcstream = php_stream_open_wrapper(src, "rb",
-                               STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS,
+                               ENFORCE_SAFE_MODE | REPORT_ERRORS,
                                NULL);

        if (!srcstream)



I guess the STREAM_DISABLE_OPEN_BASEDIR flag meant "bypass open_basedir". And as that flag is gone...

Anyway, even with PHP 4.4.3 and above, if 'upload_tmp_dir' and the destination of move_uploaded_file() are on the same FS, everything works fine as as "rename()" is used (which is not affected by open_basedir restrictions).

I "solved" the issue by moving my upload_tmp_dir to the same FS where my websites are stored.

Bye,
G.
 [2007-10-10 01:31 UTC] mueller at intertrend dot de
./.
 [2008-04-05 21:44 UTC] carsten at bleicker dot de
vhost.conf:

php_admin_value open_basedir /home/pumatertion/public_html
php_admin_value upload_tmp_dir /home/pumatertion/public_html/.temp_uploads

works on my server

.temp_uploads has to be writeable for apache.
otherwise it seems that php uses the default /tmp folder
 [2008-07-11 21:27 UTC] jani@php.net
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Dec 06 00:03:33 2021 UTC