|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41824 move_uploaded_file open_basedir problem
Submitted: 2007-06-27 14:16 UTC Modified: 2008-07-11 21:27 UTC
Avg. Score:4.0 ± 0.9
Reproduced:14 of 14 (100.0%)
Same Version:6 (42.9%)
Same OS:4 (28.6%)
From: mueller at intertrend dot de Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 4.4.7 OS: SUSE LINUX 10.0
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: mueller at intertrend dot de
New email:
PHP Version: OS:


 [2007-06-27 14:16 UTC] mueller at intertrend dot de
move_uploaded_file() does not work if open_basedir is set.

settings in php.ini:
file_uploads = On
upload_tmp_dir = /tmp

settings in httpd.conf:
php_admin_value open_basedir /www/com/servername

tmp-dir and destination-dir are on the same filesystem.

Reproduce code:
$uploaddir = '/www/com/servername';
$uploadfile = $uploaddir . basename($_FILES['userfile']['tmp_name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";

echo 'Here is some more debugging info:';

print "</pre>";

Expected result:
File is valid, and was successfully uploaded.

Actual result:
Warning:  move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/php5bwW9n) is not within the allowed path(s): (/www/com/servername) in /www/com/servername/test.php on line 9

Warning:  move_uploaded_file(/tmp/php5bwW9n) [function.move-uploaded-file]: failed to open stream: Operation not permitted in /www/com/servername/test.php on line 9

Warning:  move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/php5bwW9n' to '/www/com/servername/php5bwW9n' in /www/com/servername/test.php on line 9

Possible file upload attack!
Here is some more debugging info:Array
    [userfile] => Array
            [name] => Neu Textdokument (2).txt
            [type] => text/plain
            [tmp_name] => /tmp/php5bwW9n
            [error] => 0
            [size] => 1500



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-08 09:45 UTC] gkieffer at evolutive dot org

I have the same behavior (that contradicts the documentation): source argument of move_uploaded_file() is checked against open_basedir.

As requested by '', I've tried the latest PHP4 snapshot (php4-STABLE-200710080830) and the open_basedir restriction is still enforced on the source parameter of move_uploaded_file.

4.4.8-dev (snapshot): KO
4.4.7 : KO
4.4.6 : KO
4.4.5 : KO
4.4.3 : KO
4.4.2 : OK
4.4.1 : (I assume, I haven't tested it)
4.4.0 : OK

Here's some extra info about my environment:
Linux Debian Sarge
Apache 2.0.59 (compiled, not a Debian pkg)
PHP 4.4.x compiled as a module for Apache 2.0.59

upload_tmp_dir = /var/run/php-file-uploads

open_basedir = /wrk1/htdocssds/site.fqdn/

/var and /wrk1 are different (ext3) filesystems.

destination dir of move_uploaded_file() is /wrk1/htdocssds/site.fqdn/backoffice/photo_gest/

If I add '/var/run/php-file-uploads/' to open_basedir everything works fine but this is not the expected behavior.

Hope it helps !

 [2007-10-08 12:18 UTC] gkieffer at evolutive dot org

After some investigation, here's what I've found.

move_uploaded_file() makes use of the internal PHP function php_copy_file() when source file and destination file are not on the same filesystem (rename() works only on a single FS).

php_copy_file() changed from version 4.4.2 to 4.4.3:

# diff -u php-4.4.2/ext/standard/file.c php-4.4.3/ext/standard/file.c
[ ... discarded some stuff ...]
@@ -2196,7 +2201,7 @@

        srcstream = php_stream_open_wrapper(src, "rb",
-                               STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS,
+                               ENFORCE_SAFE_MODE | REPORT_ERRORS,

        if (!srcstream)

I guess the STREAM_DISABLE_OPEN_BASEDIR flag meant "bypass open_basedir". And as that flag is gone...

Anyway, even with PHP 4.4.3 and above, if 'upload_tmp_dir' and the destination of move_uploaded_file() are on the same FS, everything works fine as as "rename()" is used (which is not affected by open_basedir restrictions).

I "solved" the issue by moving my upload_tmp_dir to the same FS where my websites are stored.

 [2007-10-10 01:31 UTC] mueller at intertrend dot de
 [2008-04-05 21:44 UTC] carsten at bleicker dot de

php_admin_value open_basedir /home/pumatertion/public_html
php_admin_value upload_tmp_dir /home/pumatertion/public_html/.temp_uploads

works on my server

.temp_uploads has to be writeable for apache.
otherwise it seems that php uses the default /tmp folder
 [2008-07-11 21:27 UTC]
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6

PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Jan 28 06:03:41 2022 UTC