ID: 41824 Comment by: carsten at bleicker dot de Reported By: mueller at intertrend dot de Status: Open Bug Type: Safe Mode/open_basedir Operating System: SUSE LINUX 10.0 PHP Version: 4.4.7 New Comment:
vhost.conf: php_admin_value open_basedir /home/pumatertion/public_html php_admin_value upload_tmp_dir /home/pumatertion/public_html/.temp_uploads works on my server .temp_uploads has to be writeable for apache. otherwise it seems that php uses the default /tmp folder Previous Comments: ------------------------------------------------------------------------ [2007-10-10 01:31:29] mueller at intertrend dot de ./. ------------------------------------------------------------------------ [2007-10-08 12:18:05] gkieffer at evolutive dot org Hi, After some investigation, here's what I've found. move_uploaded_file() makes use of the internal PHP function php_copy_file() when source file and destination file are not on the same filesystem (rename() works only on a single FS). php_copy_file() changed from version 4.4.2 to 4.4.3: # diff -u php-4.4.2/ext/standard/file.c php-4.4.3/ext/standard/file.c [ ... discarded some stuff ...] @@ -2196,7 +2201,7 @@ safe_to_copy: srcstream = php_stream_open_wrapper(src, "rb", - STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS, + ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); if (!srcstream) I guess the STREAM_DISABLE_OPEN_BASEDIR flag meant "bypass open_basedir". And as that flag is gone... Anyway, even with PHP 4.4.3 and above, if 'upload_tmp_dir' and the destination of move_uploaded_file() are on the same FS, everything works fine as as "rename()" is used (which is not affected by open_basedir restrictions). I "solved" the issue by moving my upload_tmp_dir to the same FS where my websites are stored. Bye, G. ------------------------------------------------------------------------ [2007-10-08 09:45:00] gkieffer at evolutive dot org Hi, I have the same behavior (that contradicts the documentation): source argument of move_uploaded_file() is checked against open_basedir. As requested by '[EMAIL PROTECTED]', I've tried the latest PHP4 snapshot (php4-STABLE-200710080830) and the open_basedir restriction is still enforced on the source parameter of move_uploaded_file. 4.4.8-dev (snapshot): KO 4.4.7 : KO 4.4.6 : KO 4.4.5 : KO 4.4.3 : KO 4.4.2 : OK 4.4.1 : (I assume, I haven't tested it) 4.4.0 : OK Here's some extra info about my environment: Linux Debian Sarge Apache 2.0.59 (compiled, not a Debian pkg) PHP 4.4.x compiled as a module for Apache 2.0.59 upload_tmp_dir = /var/run/php-file-uploads open_basedir = /wrk1/htdocssds/site.fqdn/ /var and /wrk1 are different (ext3) filesystems. destination dir of move_uploaded_file() is /wrk1/htdocssds/site.fqdn/backoffice/photo_gest/ If I add '/var/run/php-file-uploads/' to open_basedir everything works fine but this is not the expected behavior. Hope it helps ! Bye, G. ------------------------------------------------------------------------ [2007-07-05 01:00:01] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". ------------------------------------------------------------------------ [2007-06-27 15:49:08] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/41824 -- Edit this bug report at http://bugs.php.net/?id=41824&edit=1