ID: 41824
Comment by: carsten at bleicker dot de
Reported By: mueller at intertrend dot de
Status: Open
Bug Type: Safe Mode/open_basedir
Operating System: SUSE LINUX 10.0
PHP Version: 4.4.7
New Comment:
vhost.conf:
php_admin_value open_basedir /home/pumatertion/public_html
php_admin_value upload_tmp_dir
/home/pumatertion/public_html/.temp_uploads
works on my server
.temp_uploads has to be writeable for apache.
otherwise it seems that php uses the default /tmp folder
Previous Comments:
------------------------------------------------------------------------
[2007-10-10 01:31:29] mueller at intertrend dot de
./.
------------------------------------------------------------------------
[2007-10-08 12:18:05] gkieffer at evolutive dot org
Hi,
After some investigation, here's what I've found.
move_uploaded_file() makes use of the internal PHP function
php_copy_file() when source file and destination file are not on the
same filesystem (rename() works only on a single FS).
php_copy_file() changed from version 4.4.2 to 4.4.3:
# diff -u php-4.4.2/ext/standard/file.c php-4.4.3/ext/standard/file.c
[ ... discarded some stuff ...]
@@ -2196,7 +2201,7 @@
safe_to_copy:
srcstream = php_stream_open_wrapper(src, "rb",
- STREAM_DISABLE_OPEN_BASEDIR |
REPORT_ERRORS,
+ ENFORCE_SAFE_MODE | REPORT_ERRORS,
NULL);
if (!srcstream)
I guess the STREAM_DISABLE_OPEN_BASEDIR flag meant "bypass
open_basedir". And as that flag is gone...
Anyway, even with PHP 4.4.3 and above, if 'upload_tmp_dir' and the
destination of move_uploaded_file() are on the same FS, everything works
fine as as "rename()" is used (which is not affected by open_basedir
restrictions).
I "solved" the issue by moving my upload_tmp_dir to the same FS where
my websites are stored.
Bye,
G.
------------------------------------------------------------------------
[2007-10-08 09:45:00] gkieffer at evolutive dot org
Hi,
I have the same behavior (that contradicts the documentation): source
argument of move_uploaded_file() is checked against open_basedir.
As requested by '[EMAIL PROTECTED]', I've tried the latest PHP4 snapshot
(php4-STABLE-200710080830) and the open_basedir restriction is still
enforced on the source parameter of move_uploaded_file.
4.4.8-dev (snapshot): KO
4.4.7 : KO
4.4.6 : KO
4.4.5 : KO
4.4.3 : KO
4.4.2 : OK
4.4.1 : (I assume, I haven't tested it)
4.4.0 : OK
Here's some extra info about my environment:
Linux Debian Sarge
Apache 2.0.59 (compiled, not a Debian pkg)
PHP 4.4.x compiled as a module for Apache 2.0.59
upload_tmp_dir = /var/run/php-file-uploads
open_basedir = /wrk1/htdocssds/site.fqdn/
/var and /wrk1 are different (ext3) filesystems.
destination dir of move_uploaded_file() is
/wrk1/htdocssds/site.fqdn/backoffice/photo_gest/
If I add '/var/run/php-file-uploads/' to open_basedir everything works
fine but this is not the expected behavior.
Hope it helps !
Bye,
G.
------------------------------------------------------------------------
[2007-07-05 01:00:01] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
------------------------------------------------------------------------
[2007-06-27 15:49:08] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/41824
--
Edit this bug report at http://bugs.php.net/?id=41824&edit=1
