ID: 38934
Comment by: moron at industrial dot org
Reported By: phpbugs at thequod dot de
Status: Feedback
Bug Type: Safe Mode/open_basedir
Operating System: Ubuntu Linux
PHP Version: 5.1.6
New Comment:
Sorry, forgot to note that in our case, "upload_tmp_dir" is explicitly
set.
Previous Comments:
------------------------------------------------------------------------
[2006-09-29 18:12:05] moron at industrial dot org
Exact same behaviour with 4.4.4 under FreeBSD 6.1.
Frustrating as this bug has appeared before.
------------------------------------------------------------------------
[2006-09-25 12:54:21] [EMAIL PROTECTED]
Cannot reproduce with both 5.1.6 and latest CVS.
With upload_tmp_dir not set (aka "/tmp") and open_basedir="/www", I get
this: File is valid, and was successfully uploaded.
------------------------------------------------------------------------
[2006-09-25 11:19:58] Bjorn dot Wiberg at its dot uu dot se
Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big
difference) and have "php_admin_value upload_tmp_dir none" set (so it
defaults to /tmp).
---8<---
Warning: move_uploaded_file(): open_basedir restriction in effect.
File(/tmp/phpP5moMa) is not within the allowed path(s):
(.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in
/apache/htdocs/bwiberg/test/safemode/upload.php on line 9
--->8---
As you can see, /tmp is not within open_basedir, but I think it should
not need to be...
---8<---
<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used
instead
// of $_FILES.
$uploaddir = '/apache/htdocs/bwiberg/test/safemode/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Possible file upload attack!\n";
}
echo 'Here is some more debugging info:';
print_r($_FILES);
print "</pre>";
?>
--->8---
Best regards,
Björn
------------------------------------------------------------------------
[2006-09-23 11:36:40] phpbugs at thequod dot de
Description:
------------
According to the documentation PHP should be able to read
the uploaded file, although it's outside the open_basedir
directories:
"""
Note: move_uploaded_file() is both safe mode and
open_basedir aware. However, restrictions are placed only
on the destination path as to allow the moving of uploaded
files in which filename may conflict with such
restrictions. move_uploaded_file() ensures the safety of
this operation by allowing only those files uploaded
through PHP to be moved.
"""
However, I have to add /tmp to open_basedir - which is bad
in terms of users would be allowed to access the files
there!
I've not explicitely set the upload_tmp_dir directive, so
the default "/tmp" gets used.
See also these old bugs, where it seems to have been
fixed, but now is broken again:
http://bugs.php.net/bug.php?id=21885
http://bugs.php.net/bug.php?id=27559
Reproduce code:
---------------
upload.php file:
<?php
error_reporting(E_ALL);
ini_set('display_errors', 'on');
if( empty($_FILES) )
{
?>
<!-- The data encoding type, enctype, MUST be specified as below -->
<form enctype="multipart/form-data" action="upload.php" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
<?php
}
else
{
$uploadfile = dirname(__FILE__).'/upload_file.test';
echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'],
$uploadfile)) {
echo "File is valid, and was successfully
uploaded.\n";
} else {
echo "Possible file upload attack!\n";
}
echo 'Here is some more debugging info:';
print_r($_FILES);
print "</pre>";
}
?>
Expected result:
----------------
File upload.
Actual result:
--------------
Warning: move_uploaded_file()
[function.move-uploaded-file]: open_basedir restriction in
effect. File(/tmp/phpoNSKDN) is not within the allowed
path(s): (/XXX) in ...
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38934&edit=1
