#38934 [Com]: move_uploaded_file() cannot read uploaded file outside of open_basedir

2006-09-29 Thread moron at industrial dot org 
 ID:   38934
 Comment by:   moron at industrial dot org
 Reported By:  phpbugs at thequod dot de
 Status:   Feedback
 Bug Type: Safe Mode/open_basedir
 Operating System: Ubuntu Linux
 PHP Version:  5.1.6
 New Comment:

Exact same behaviour with 4.4.4 under FreeBSD 6.1. 

Frustrating as this bug has appeared before.


Previous Comments:


[2006-09-25 12:54:21] [EMAIL PROTECTED]

Cannot reproduce with both 5.1.6 and latest CVS.
With upload_tmp_dir not set (aka /tmp) and open_basedir=/www, I get
this: File is valid, and was successfully uploaded.



[2006-09-25 11:19:58] Bjorn dot Wiberg at its dot uu dot se

Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big
difference) and have php_admin_value upload_tmp_dir none set (so it
defaults to /tmp).

---8---
Warning: move_uploaded_file(): open_basedir restriction in effect.
File(/tmp/phpP5moMa) is not within the allowed path(s):
(.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in
/apache/htdocs/bwiberg/test/safemode/upload.php on line 9
---8---

As you can see, /tmp is not within open_basedir, but I think it should
not need to be...

---8---
?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used
instead
// of $_FILES.

$uploaddir = '/apache/htdocs/bwiberg/test/safemode/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo 'pre';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
   echo File is valid, and was successfully uploaded.\n;
} else {
   echo Possible file upload attack!\n;
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print /pre;
? 

---8---

Best regards,
Björn



[2006-09-23 11:36:40] phpbugs at thequod dot de

Description:

According to the documentation PHP should be able to read 
the uploaded file, although it's outside the open_basedir 
directories:

Note:  move_uploaded_file() is both safe mode and 
open_basedir aware. However, restrictions are placed only 
on the destination path as to allow the moving of uploaded 
files in which filename may conflict with such 
restrictions. move_uploaded_file() ensures the safety of 
this operation by allowing only those files uploaded 
through PHP to be moved.


However, I have to add /tmp to open_basedir - which is bad 
in terms of users would be allowed to access the files 
there!

I've not explicitely set the upload_tmp_dir directive, so 
the default /tmp gets used.

See also these old bugs, where it seems to have been 
fixed, but now is broken again:
http://bugs.php.net/bug.php?id=21885
http://bugs.php.net/bug.php?id=27559

Reproduce code:
---
upload.php file:
?php

error_reporting(E_ALL);
ini_set('display_errors', 'on');

if( empty($_FILES) )
{
?
!-- The data encoding type, enctype, MUST be specified as below --
form enctype=multipart/form-data action=upload.php method=POST
!-- MAX_FILE_SIZE must precede the file input field --
input type=hidden name=MAX_FILE_SIZE value=3 /
!-- Name of input element determines name in $_FILES array --
Send this file: input name=userfile type=file /
input type=submit value=Send File /
/form

?php
}
else
{
$uploadfile = dirname(__FILE__).'/upload_file.test';
echo 'pre';
if (move_uploaded_file($_FILES['userfile']['tmp_name'],
$uploadfile)) {
echo File is valid, and was successfully
uploaded.\n;
} else {
echo Possible file upload attack!\n;
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print /pre;
}

?


Expected result:

File upload.

Actual result:
--
Warning: move_uploaded_file() 
[function.move-uploaded-file]: open_basedir restriction in 
effect. File(/tmp/phpoNSKDN) is not within the allowed 
path(s): (/XXX) in ...





-- 
Edit this bug report at http://bugs.php.net/?id=38934edit=1

#38934 [Com]: move_uploaded_file() cannot read uploaded file outside of open_basedir

2006-09-29 Thread moron at industrial dot org 
 ID:   38934
 Comment by:   moron at industrial dot org
 Reported By:  phpbugs at thequod dot de
 Status:   Feedback
 Bug Type: Safe Mode/open_basedir
 Operating System: Ubuntu Linux
 PHP Version:  5.1.6
 New Comment:

Sorry, forgot to note that in our case, upload_tmp_dir is explicitly
set.


Previous Comments:


[2006-09-29 18:12:05] moron at industrial dot org

Exact same behaviour with 4.4.4 under FreeBSD 6.1. 

Frustrating as this bug has appeared before.



[2006-09-25 12:54:21] [EMAIL PROTECTED]

Cannot reproduce with both 5.1.6 and latest CVS.
With upload_tmp_dir not set (aka /tmp) and open_basedir=/www, I get
this: File is valid, and was successfully uploaded.



[2006-09-25 11:19:58] Bjorn dot Wiberg at its dot uu dot se

Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big
difference) and have php_admin_value upload_tmp_dir none set (so it
defaults to /tmp).

---8---
Warning: move_uploaded_file(): open_basedir restriction in effect.
File(/tmp/phpP5moMa) is not within the allowed path(s):
(.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in
/apache/htdocs/bwiberg/test/safemode/upload.php on line 9
---8---

As you can see, /tmp is not within open_basedir, but I think it should
not need to be...

---8---
?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used
instead
// of $_FILES.

$uploaddir = '/apache/htdocs/bwiberg/test/safemode/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo 'pre';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
   echo File is valid, and was successfully uploaded.\n;
} else {
   echo Possible file upload attack!\n;
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print /pre;
? 

---8---

Best regards,
Björn



[2006-09-23 11:36:40] phpbugs at thequod dot de

Description:

According to the documentation PHP should be able to read 
the uploaded file, although it's outside the open_basedir 
directories:

Note:  move_uploaded_file() is both safe mode and 
open_basedir aware. However, restrictions are placed only 
on the destination path as to allow the moving of uploaded 
files in which filename may conflict with such 
restrictions. move_uploaded_file() ensures the safety of 
this operation by allowing only those files uploaded 
through PHP to be moved.


However, I have to add /tmp to open_basedir - which is bad 
in terms of users would be allowed to access the files 
there!

I've not explicitely set the upload_tmp_dir directive, so 
the default /tmp gets used.

See also these old bugs, where it seems to have been 
fixed, but now is broken again:
http://bugs.php.net/bug.php?id=21885
http://bugs.php.net/bug.php?id=27559

Reproduce code:
---
upload.php file:
?php

error_reporting(E_ALL);
ini_set('display_errors', 'on');

if( empty($_FILES) )
{
?
!-- The data encoding type, enctype, MUST be specified as below --
form enctype=multipart/form-data action=upload.php method=POST
!-- MAX_FILE_SIZE must precede the file input field --
input type=hidden name=MAX_FILE_SIZE value=3 /
!-- Name of input element determines name in $_FILES array --
Send this file: input name=userfile type=file /
input type=submit value=Send File /
/form

?php
}
else
{
$uploadfile = dirname(__FILE__).'/upload_file.test';
echo 'pre';
if (move_uploaded_file($_FILES['userfile']['tmp_name'],
$uploadfile)) {
echo File is valid, and was successfully
uploaded.\n;
} else {
echo Possible file upload attack!\n;
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print /pre;
}

?


Expected result:

File upload.

Actual result:
--
Warning: move_uploaded_file() 
[function.move-uploaded-file]: open_basedir restriction in 
effect. File(/tmp/phpoNSKDN) is not within the allowed 
path(s): (/XXX) in ...





-- 
Edit this bug report at http://bugs.php.net/?id=38934edit=1

#38934 [Com]: move_uploaded_file() cannot read uploaded file outside of open_basedir

2006-09-29 Thread moron at industrial dot org 
 ID:   38934
 Comment by:   moron at industrial dot org
 Reported By:  phpbugs at thequod dot de
 Status:   Feedback
 Bug Type: Safe Mode/open_basedir
 Operating System: Ubuntu Linux
 PHP Version:  5.1.6
 New Comment:

Sorry for the flurry.  In our case it turned out that the error message
was just misleading.  A simple permissions issue on the target directory
was the cause (arrgh) but the error message explicitly stated that the
problem was the open_basedir setting of the upload_tmp directory.  So
more of an annoyance than a show stopper in our case.


Previous Comments:


[2006-09-29 18:13:11] moron at industrial dot org

Sorry, forgot to note that in our case, upload_tmp_dir is explicitly
set.



[2006-09-29 18:12:05] moron at industrial dot org

Exact same behaviour with 4.4.4 under FreeBSD 6.1. 

Frustrating as this bug has appeared before.



[2006-09-25 12:54:21] [EMAIL PROTECTED]

Cannot reproduce with both 5.1.6 and latest CVS.
With upload_tmp_dir not set (aka /tmp) and open_basedir=/www, I get
this: File is valid, and was successfully uploaded.



[2006-09-25 11:19:58] Bjorn dot Wiberg at its dot uu dot se

Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big
difference) and have php_admin_value upload_tmp_dir none set (so it
defaults to /tmp).

---8---
Warning: move_uploaded_file(): open_basedir restriction in effect.
File(/tmp/phpP5moMa) is not within the allowed path(s):
(.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in
/apache/htdocs/bwiberg/test/safemode/upload.php on line 9
---8---

As you can see, /tmp is not within open_basedir, but I think it should
not need to be...

---8---
?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used
instead
// of $_FILES.

$uploaddir = '/apache/htdocs/bwiberg/test/safemode/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo 'pre';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
   echo File is valid, and was successfully uploaded.\n;
} else {
   echo Possible file upload attack!\n;
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print /pre;
? 

---8---

Best regards,
Björn



[2006-09-23 11:36:40] phpbugs at thequod dot de

Description:

According to the documentation PHP should be able to read 
the uploaded file, although it's outside the open_basedir 
directories:

Note:  move_uploaded_file() is both safe mode and 
open_basedir aware. However, restrictions are placed only 
on the destination path as to allow the moving of uploaded 
files in which filename may conflict with such 
restrictions. move_uploaded_file() ensures the safety of 
this operation by allowing only those files uploaded 
through PHP to be moved.


However, I have to add /tmp to open_basedir - which is bad 
in terms of users would be allowed to access the files 
there!

I've not explicitely set the upload_tmp_dir directive, so 
the default /tmp gets used.

See also these old bugs, where it seems to have been 
fixed, but now is broken again:
http://bugs.php.net/bug.php?id=21885
http://bugs.php.net/bug.php?id=27559

Reproduce code:
---
upload.php file:
?php

error_reporting(E_ALL);
ini_set('display_errors', 'on');

if( empty($_FILES) )
{
?
!-- The data encoding type, enctype, MUST be specified as below --
form enctype=multipart/form-data action=upload.php method=POST
!-- MAX_FILE_SIZE must precede the file input field --
input type=hidden name=MAX_FILE_SIZE value=3 /
!-- Name of input element determines name in $_FILES array --
Send this file: input name=userfile type=file /
input type=submit value=Send File /
/form

?php
}
else
{
$uploadfile = dirname(__FILE__).'/upload_file.test';
echo 'pre';
if (move_uploaded_file($_FILES['userfile']['tmp_name'],
$uploadfile)) {
echo File is valid, and was successfully
uploaded.\n;
} else {
echo Possible file upload attack!\n;
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print /pre;
}

?


Expected result:

File upload.

Actual result:
--
Warning: move_uploaded_file() 
[function.move-uploaded-file]: open_basedir restriction in 
effect. File(/tmp/phpoNSKDN) is not within the allowed 
path(s): (/XXX) in ...





-- 
Edit this bug report at http://bugs.php.net/?id=38934edit=1

#38934 [Com]: move_uploaded_file() cannot read uploaded file outside of open_basedir

2006-09-25 Thread Bjorn dot Wiberg at its dot uu dot se 
 ID:   38934
 Comment by:   Bjorn dot Wiberg at its dot uu dot se
 Reported By:  phpbugs at thequod dot de
 Status:   Open
 Bug Type: Safe Mode/open_basedir
 Operating System: Ubuntu Linux
 PHP Version:  5.1.6
 New Comment:

Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big
difference) and have php_admin_value upload_tmp_dir none set (so it
defaults to /tmp).

---8---
Warning: move_uploaded_file(): open_basedir restriction in effect.
File(/tmp/phpP5moMa) is not within the allowed path(s):
(.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in
/apache/htdocs/bwiberg/test/safemode/upload.php on line 9
---8---

As you can see, /tmp is not within open_basedir, but I think it should
not need to be...

---8---
?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used
instead
// of $_FILES.

$uploaddir = '/apache/htdocs/bwiberg/test/safemode/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo 'pre';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
   echo File is valid, and was successfully uploaded.\n;
} else {
   echo Possible file upload attack!\n;
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print /pre;
? 

---8---

Best regards,
Björn


Previous Comments:


[2006-09-23 11:36:40] phpbugs at thequod dot de

Description:

According to the documentation PHP should be able to read 
the uploaded file, although it's outside the open_basedir 
directories:

Note:  move_uploaded_file() is both safe mode and 
open_basedir aware. However, restrictions are placed only 
on the destination path as to allow the moving of uploaded 
files in which filename may conflict with such 
restrictions. move_uploaded_file() ensures the safety of 
this operation by allowing only those files uploaded 
through PHP to be moved.


However, I have to add /tmp to open_basedir - which is bad 
in terms of users would be allowed to access the files 
there!

I've not explicitely set the upload_tmp_dir directive, so 
the default /tmp gets used.

See also these old bugs, where it seems to have been 
fixed, but now is broken again:
http://bugs.php.net/bug.php?id=21885
http://bugs.php.net/bug.php?id=27559

Reproduce code:
---
upload.php file:
?php

error_reporting(E_ALL);
ini_set('display_errors', 'on');

if( empty($_FILES) )
{
?
!-- The data encoding type, enctype, MUST be specified as below --
form enctype=multipart/form-data action=upload.php method=POST
!-- MAX_FILE_SIZE must precede the file input field --
input type=hidden name=MAX_FILE_SIZE value=3 /
!-- Name of input element determines name in $_FILES array --
Send this file: input name=userfile type=file /
input type=submit value=Send File /
/form

?php
}
else
{
$uploadfile = dirname(__FILE__).'/upload_file.test';
echo 'pre';
if (move_uploaded_file($_FILES['userfile']['tmp_name'],
$uploadfile)) {
echo File is valid, and was successfully
uploaded.\n;
} else {
echo Possible file upload attack!\n;
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print /pre;
}

?


Expected result:

File upload.

Actual result:
--
Warning: move_uploaded_file() 
[function.move-uploaded-file]: open_basedir restriction in 
effect. File(/tmp/phpoNSKDN) is not within the allowed 
path(s): (/XXX) in ...





-- 
Edit this bug report at http://bugs.php.net/?id=38934edit=1