From:
Operating system: Linux h1638833 2.6.18-028stab064
PHP version: 5.3.2
Package: Filesystem function related
Bug Type: Bug
Bug description:open_basedir and move_uploaded_file does not harmonize!
Description:
------------
I have several vhosts and I'd like to use the open_basedir setting for
them.
My PHP config is something like that:
Directive | Local Value | Master Value
[...]
safe_mode | Off | Off
safe_mode_exec_dir | /usr/local/php/bin | /usr/local/php/bin
safe_mode_gid | Off | Off
safe_mode_include_dir | no value | no value
upload_tmp_dir | /tmp | /tmp
open_basedir | /srv/www/vhosts/domain.tld/httpdocs;/tmp | no value
[...]
When I upload files, they do get in /tmp directory and have the privilege:
-rw-r--r-- 1 wwwrun www 647585 30. Mai 15:43 demo.jpg
The move_uploaded_file function with using absolute directories and correct
paths (I proofed this) returns always false on my PHP 5.3.1 and PHP 5.3.2
compilation!
The target directory has full rwx privileges for all user/group/others and
there is not a filesystem privilege problem!
The php log files are not very verbose, in fact, it tells me nothing about
the failed movement (also tried with report_error = E_ALL).
If I use rename instead of move_uploaded_file, PHP seems to move the file.
Test script:
---------------
// assumes the upload is successfully done (I can see the file in
// in the filesystem with the privileges: -rw-r--r-- 1 wwwrun www).
[...]
if(move_uploaded_file("/tmp/silverstripe-cache-srv-www-vhosts-domain.tld-httpdocs-silverstripe-v2.4.0/demo.jpg",
"/srv/www/vhosts/domain.tld/httpdocs/silverstripe-4.2.0/assets/Upload/demo.jpg"))
{
return true;
} else {
return false;
}
[...]
Expected result:
----------------
I expect that the file can be moved with the move_uploaded_file from /tmp
to the /srv/www/vhosts/domain.tld/httpdocs/silverstripe-4.2.0/assets/Upload
by PHP (apache user wwwrun) which created the file in the directory /tmp as
well (just a few seconds before). It should take care of the open_basedir
setting.
The target directory and also the source directory is specified in the
open_basedir setting.
Actual result:
--------------
If I overwrite the open_basedir setting for the virtual host to "none", the
upload and move_uploaded_file works fine:
Directive | Local Value | Master Value
open_basedir | no value | no value
But it's not a pretty solution for me just to turn off this security
feature!
When I google I only find thousends of other people having problems with
open_basedir. :-(
--
Edit bug report at http://bugs.php.net/bug.php?id=51949&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=51949&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=51949&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=51949&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=51949&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=51949&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=51949&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=51949&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=51949&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=51949&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=51949&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=51949&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=51949&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=51949&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=51949&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51949&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=51949&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=51949&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=51949&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=51949&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=51949&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=51949&r=mysqlcfg
