php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65057 move_uploaded_file() umask acl
Submitted: 2013-06-18 13:24 UTC Modified: -
Votes:9
Avg. Score:4.7 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:3 (37.5%)
Same OS:7 (87.5%)
From: pb at complex dot pl Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.3.26 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-06-18 13:24 UTC] pb at complex dot pl
Description:
------------
move_uploaded_file() uses VCWD_CHMOD(new_path, 0666 & ~oldmask). This breaks acls of uploaded files when umask is set to 077

The setup is as follows:
- all files are owned by user:user
- all files have 600 perms, dirs have 700
- PHP script is invoked as user:user (suexec+fcgid)
- ACLs are used to grant access for apache user (user:apache:r-x, default:user:apache:r-x) on all files and dirs.
- umask set to 077

When file is uploaded to upload_tmp_dir getfacl shows:
user::rw-
user:apache:r-x                 #effective:r--
group::---
mask::r--
other::---

After calling move_uploaded_file() the file in dest_dir has following ACLs:
user::rw-
user:apache:r-x                 #effective:---
group::---
mask::---
other::---

chmod(600) invoked in this case in move_uploaded_file() changes ACL mask to 000 which in turn revokes access for apache user.

Expected result:
----------------
Preserve ACL of uploaded files.

Actual result:
--------------
ACL get broken after calling move_uploaded_file()

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Oct 22 03:01:25 2018 UTC