php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55060 upload_tmp_dir and permissions
Submitted: 2011-06-29 04:04 UTC Modified: -
Votes:13
Avg. Score:4.5 ± 1.1
Reproduced:12 of 12 (100.0%)
Same Version:5 (41.7%)
Same OS:6 (50.0%)
From: hotwine at excite dot it Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.3.6 OS: Windows Server 2008 R2
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-06-29 04:04 UTC] hotwine at excite dot it
Description:
------------
Hi,


I have a problem with the ini_set upload_tmp_dir. In my scenario it is ignored and it's used the default value ("C:\Windows\Temp").
My configuration is the following:

OS: Windows Server 2008 R2 (with IIS 7.5)
php: 5.3.3 (also tried with 5.3.6). Both with fastCgi enabled (with impersonating correctly enabled).

Main entries of the related php.ini

include_path = ".;C:\inetpub\wwwroot\MYSITE\"
upload_tmp_dir = "C:\inetpub\wwwroot\SESSION"
session.save_path = "C:\inetpub\wwwroot\SESSION"
doc_root = "C:\inetpub\wwwroot\MYSITE\"
open_basedir = "C:\inetpub\wwwroot\MYSITE\"

Permissions of the related IUSR user on the preceding folder:

Full control on "C:\inetpub\wwwroot\SESSION"
Read & Execute, List folder contents, Read on all the directory (including all the content) "C:\inetpub\wwwroot\MYSITE"
Full control on "C:\inetpub\wwwroot\MYSITE\upload"

With the preceding configuration a warning occurs when I try to upload a file.
The warning is related to the operations performed before moving the file from the temporary directory to the final directory.

PHP Warning:  Unknown: open_basedir restriction in effect. File(C:\Windows\TEMP\) is not within the allowed path(s): (C:\inetpub\wwwroot\MYSITE\) in Unknown on line 0
PHP Warning:  File upload error - unable to create a temporary file in Unknown on line 0

Because the preceding warning, I concluded that the upload_tmp_dir entry was not correctly received by the php engine.
The php documentation (http://www.php.net/manual/en/ini.core.php#ini.upload-tmp-dir)
says that "If the directory specified here is not writable, PHP falls back to the system default temporary directory."
But in my case the directory was writable.

Debugging the request with Process Monitor (a Russinovich software), I've found that the php-cgi.exe doesn't perform any operation
with the IUSR user and the following path "C:\inetpub\wwwroot\SESSION". Only the path "C:\inetpub\wwwroot" (the parent) was checked,
with ACCESS DENIED (rightly,because the IUSR user doesn't own any permission on that directory).


So I tried to create a new folder within the "C:\inetpub\wwwroot\SESSION" directory with name A (path "C:\inetpub\wwwroot\SESSION\A"),
in a manner that the parent of the A directory were accessible from the IUSR user. And I've changed the ini upload_tmp_dir with the
value  "C:\inetpub\wwwroot\SESSION\A"




With this configuration it works without any warning and the file has been correctly sent:

Main entries of the related php.ini:

include_path = ".;C:\inetpub\wwwroot\MYSITE\"
upload_tmp_dir = "C:\inetpub\wwwroot\SESSION\A"
session.save_path = "C:\inetpub\wwwroot\SESSION"
doc_root = "C:\inetpub\wwwroot\MYSITE\"
open_basedir = "C:\inetpub\wwwroot\MYSITE\"

Permissions of the related IUSR user on the preceding folder:

Full control on "C:\inetpub\wwwroot\SESSION"
Read & Execute, List folder contents, Read on all the directory (including all the content) "C:\inetpub\wwwroot\MYSITE"
Full control on "C:\inetpub\wwwroot\MYSITE\upload"


Then I've experienced that the necessary condition of a working upload_tmp_dir is that two requirements are satisfied:
- the user IUSR owns the writable rights on the upload_tmp_dir directory
- the user IUSR owns the List folders content right on the parent of the upload_tmp_dir directory

I think that it isn't the desirable behaviour. Anyone of us can confirm that?


Thanks.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-30 11:11 UTC] campolungo at libero dot it
I've looked around for hours to solve the same upload problem.

Thank you very much
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 01:02:05 2014 UTC