ID: 42291 Comment by: mail at peter-thomassen dot de Reported By: rob-phpbugs at tigertech dot com Status: No Feedback Bug Type: Filesystem function related Operating System: Linux PHP Version: 5.2.4 New Comment:
I just checked this with today's snapshot (5.2.7 devel), and move_uploaded_file() now respects the umask setting. For the temporary file (before the move_uploaded_file() call, usually in /tmp/), the umask setting is respected only for the owner's bits. Group and world permission are set to 0 (as if umask was 0x77, with x being the owner's umask). As I already said, everything is set right when moving the file away. It seems that this bug is fixed. In production, I still have to use PHP 5.2.0 with some patches. Does anybody know in which version this bug was fixed? Previous Comments: ------------------------------------------------------------------------ [2007-11-26 01:00:00] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". ------------------------------------------------------------------------ [2007-11-18 23:47:28] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi ------------------------------------------------------------------------ [2007-11-05 23:28:25] rob-phpbugs at tigertech dot com I fear this bug could be ignored because I tagged it as happening on PHP 4. Just to make sure it's clear, I'm retagging it as happening in PHP 5.2.4 -- it affects all versions. ------------------------------------------------------------------------ [2007-11-04 17:16:19] marcel dot wiechmann at gmail dot com Same problem here. But not only under php 4.4.7 also under php 5.2.4 ------------------------------------------------------------------------ [2007-11-04 15:51:26] chh at innov8 dot ch I can confirm this behaviour. If "upload_tmp_dir" is on the same filesystem as the destination folder (normally the webspace of the customer(s) then the file permissions are set to 0600 - otherwise 0644 (umask at 0022), when using move_uploaded_file(). The temp file - before calling move_uploaded_file() - also has 0600 permissions. This leads to a problem when using suphp (suexec, fastcgi or whatever) and upload-functions in php applications which do not set the permissions after using move_uploaded_file() [Joomla seems to be such a candidate - Typo3 does it right..]. If you upload a static file which should be readable by the webserver but isn't because only PHP (and other user running applications) can access the file. All Upload functions should use a chmod() after move_uploded_file()... ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/42291 -- Edit this bug report at http://bugs.php.net/?id=42291&edit=1
