|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65057 move_uploaded_file() umask acl
Submitted: 2013-06-18 13:24 UTC Modified: -
Avg. Score:4.4 ± 0.9
Reproduced:10 of 10 (100.0%)
Same Version:3 (30.0%)
Same OS:9 (90.0%)
From: pb at complex dot pl Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.3.26 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-06-18 13:24 UTC] pb at complex dot pl
move_uploaded_file() uses VCWD_CHMOD(new_path, 0666 & ~oldmask). This breaks acls of uploaded files when umask is set to 077

The setup is as follows:
- all files are owned by user:user
- all files have 600 perms, dirs have 700
- PHP script is invoked as user:user (suexec+fcgid)
- ACLs are used to grant access for apache user (user:apache:r-x, default:user:apache:r-x) on all files and dirs.
- umask set to 077

When file is uploaded to upload_tmp_dir getfacl shows:
user:apache:r-x                 #effective:r--

After calling move_uploaded_file() the file in dest_dir has following ACLs:
user:apache:r-x                 #effective:---

chmod(600) invoked in this case in move_uploaded_file() changes ACL mask to 000 which in turn revokes access for apache user.

Expected result:
Preserve ACL of uploaded files.

Actual result:
ACL get broken after calling move_uploaded_file()


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 15 22:01:28 2024 UTC