#38934 [Com]: move_uploaded_file() cannot read uploaded file outside of open_basedir
ID: 38934 Comment by: moron at industrial dot org Reported By: phpbugs at thequod dot de Status: Feedback Bug Type: Safe Mode/open_basedir Operating System: Ubuntu Linux PHP Version: 5.1.6 New Comment: Exact same behaviour with 4.4.4 under FreeBSD 6.1. Frustrating as this bug has appeared before. Previous Comments: [2006-09-25 12:54:21] [EMAIL PROTECTED] Cannot reproduce with both 5.1.6 and latest CVS. With upload_tmp_dir not set (aka /tmp) and open_basedir=/www, I get this: File is valid, and was successfully uploaded. [2006-09-25 11:19:58] Bjorn dot Wiberg at its dot uu dot se Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big difference) and have php_admin_value upload_tmp_dir none set (so it defaults to /tmp). ---8--- Warning: move_uploaded_file(): open_basedir restriction in effect. File(/tmp/phpP5moMa) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /apache/htdocs/bwiberg/test/safemode/upload.php on line 9 ---8--- As you can see, /tmp is not within open_basedir, but I think it should not need to be... ---8--- ?php // In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead // of $_FILES. $uploaddir = '/apache/htdocs/bwiberg/test/safemode/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); echo 'pre'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo File is valid, and was successfully uploaded.\n; } else { echo Possible file upload attack!\n; } echo 'Here is some more debugging info:'; print_r($_FILES); print /pre; ? ---8--- Best regards, Björn [2006-09-23 11:36:40] phpbugs at thequod dot de Description: According to the documentation PHP should be able to read the uploaded file, although it's outside the open_basedir directories: Note: move_uploaded_file() is both safe mode and open_basedir aware. However, restrictions are placed only on the destination path as to allow the moving of uploaded files in which filename may conflict with such restrictions. move_uploaded_file() ensures the safety of this operation by allowing only those files uploaded through PHP to be moved. However, I have to add /tmp to open_basedir - which is bad in terms of users would be allowed to access the files there! I've not explicitely set the upload_tmp_dir directive, so the default /tmp gets used. See also these old bugs, where it seems to have been fixed, but now is broken again: http://bugs.php.net/bug.php?id=21885 http://bugs.php.net/bug.php?id=27559 Reproduce code: --- upload.php file: ?php error_reporting(E_ALL); ini_set('display_errors', 'on'); if( empty($_FILES) ) { ? !-- The data encoding type, enctype, MUST be specified as below -- form enctype=multipart/form-data action=upload.php method=POST !-- MAX_FILE_SIZE must precede the file input field -- input type=hidden name=MAX_FILE_SIZE value=3 / !-- Name of input element determines name in $_FILES array -- Send this file: input name=userfile type=file / input type=submit value=Send File / /form ?php } else { $uploadfile = dirname(__FILE__).'/upload_file.test'; echo 'pre'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo File is valid, and was successfully uploaded.\n; } else { echo Possible file upload attack!\n; } echo 'Here is some more debugging info:'; print_r($_FILES); print /pre; } ? Expected result: File upload. Actual result: -- Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/phpoNSKDN) is not within the allowed path(s): (/XXX) in ... -- Edit this bug report at http://bugs.php.net/?id=38934edit=1
#38934 [Com]: move_uploaded_file() cannot read uploaded file outside of open_basedir
ID: 38934 Comment by: moron at industrial dot org Reported By: phpbugs at thequod dot de Status: Feedback Bug Type: Safe Mode/open_basedir Operating System: Ubuntu Linux PHP Version: 5.1.6 New Comment: Sorry, forgot to note that in our case, upload_tmp_dir is explicitly set. Previous Comments: [2006-09-29 18:12:05] moron at industrial dot org Exact same behaviour with 4.4.4 under FreeBSD 6.1. Frustrating as this bug has appeared before. [2006-09-25 12:54:21] [EMAIL PROTECTED] Cannot reproduce with both 5.1.6 and latest CVS. With upload_tmp_dir not set (aka /tmp) and open_basedir=/www, I get this: File is valid, and was successfully uploaded. [2006-09-25 11:19:58] Bjorn dot Wiberg at its dot uu dot se Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big difference) and have php_admin_value upload_tmp_dir none set (so it defaults to /tmp). ---8--- Warning: move_uploaded_file(): open_basedir restriction in effect. File(/tmp/phpP5moMa) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /apache/htdocs/bwiberg/test/safemode/upload.php on line 9 ---8--- As you can see, /tmp is not within open_basedir, but I think it should not need to be... ---8--- ?php // In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead // of $_FILES. $uploaddir = '/apache/htdocs/bwiberg/test/safemode/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); echo 'pre'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo File is valid, and was successfully uploaded.\n; } else { echo Possible file upload attack!\n; } echo 'Here is some more debugging info:'; print_r($_FILES); print /pre; ? ---8--- Best regards, Björn [2006-09-23 11:36:40] phpbugs at thequod dot de Description: According to the documentation PHP should be able to read the uploaded file, although it's outside the open_basedir directories: Note: move_uploaded_file() is both safe mode and open_basedir aware. However, restrictions are placed only on the destination path as to allow the moving of uploaded files in which filename may conflict with such restrictions. move_uploaded_file() ensures the safety of this operation by allowing only those files uploaded through PHP to be moved. However, I have to add /tmp to open_basedir - which is bad in terms of users would be allowed to access the files there! I've not explicitely set the upload_tmp_dir directive, so the default /tmp gets used. See also these old bugs, where it seems to have been fixed, but now is broken again: http://bugs.php.net/bug.php?id=21885 http://bugs.php.net/bug.php?id=27559 Reproduce code: --- upload.php file: ?php error_reporting(E_ALL); ini_set('display_errors', 'on'); if( empty($_FILES) ) { ? !-- The data encoding type, enctype, MUST be specified as below -- form enctype=multipart/form-data action=upload.php method=POST !-- MAX_FILE_SIZE must precede the file input field -- input type=hidden name=MAX_FILE_SIZE value=3 / !-- Name of input element determines name in $_FILES array -- Send this file: input name=userfile type=file / input type=submit value=Send File / /form ?php } else { $uploadfile = dirname(__FILE__).'/upload_file.test'; echo 'pre'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo File is valid, and was successfully uploaded.\n; } else { echo Possible file upload attack!\n; } echo 'Here is some more debugging info:'; print_r($_FILES); print /pre; } ? Expected result: File upload. Actual result: -- Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/phpoNSKDN) is not within the allowed path(s): (/XXX) in ... -- Edit this bug report at http://bugs.php.net/?id=38934edit=1
#38934 [Com]: move_uploaded_file() cannot read uploaded file outside of open_basedir
ID: 38934 Comment by: moron at industrial dot org Reported By: phpbugs at thequod dot de Status: Feedback Bug Type: Safe Mode/open_basedir Operating System: Ubuntu Linux PHP Version: 5.1.6 New Comment: Sorry for the flurry. In our case it turned out that the error message was just misleading. A simple permissions issue on the target directory was the cause (arrgh) but the error message explicitly stated that the problem was the open_basedir setting of the upload_tmp directory. So more of an annoyance than a show stopper in our case. Previous Comments: [2006-09-29 18:13:11] moron at industrial dot org Sorry, forgot to note that in our case, upload_tmp_dir is explicitly set. [2006-09-29 18:12:05] moron at industrial dot org Exact same behaviour with 4.4.4 under FreeBSD 6.1. Frustrating as this bug has appeared before. [2006-09-25 12:54:21] [EMAIL PROTECTED] Cannot reproduce with both 5.1.6 and latest CVS. With upload_tmp_dir not set (aka /tmp) and open_basedir=/www, I get this: File is valid, and was successfully uploaded. [2006-09-25 11:19:58] Bjorn dot Wiberg at its dot uu dot se Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big difference) and have php_admin_value upload_tmp_dir none set (so it defaults to /tmp). ---8--- Warning: move_uploaded_file(): open_basedir restriction in effect. File(/tmp/phpP5moMa) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /apache/htdocs/bwiberg/test/safemode/upload.php on line 9 ---8--- As you can see, /tmp is not within open_basedir, but I think it should not need to be... ---8--- ?php // In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead // of $_FILES. $uploaddir = '/apache/htdocs/bwiberg/test/safemode/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); echo 'pre'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo File is valid, and was successfully uploaded.\n; } else { echo Possible file upload attack!\n; } echo 'Here is some more debugging info:'; print_r($_FILES); print /pre; ? ---8--- Best regards, Björn [2006-09-23 11:36:40] phpbugs at thequod dot de Description: According to the documentation PHP should be able to read the uploaded file, although it's outside the open_basedir directories: Note: move_uploaded_file() is both safe mode and open_basedir aware. However, restrictions are placed only on the destination path as to allow the moving of uploaded files in which filename may conflict with such restrictions. move_uploaded_file() ensures the safety of this operation by allowing only those files uploaded through PHP to be moved. However, I have to add /tmp to open_basedir - which is bad in terms of users would be allowed to access the files there! I've not explicitely set the upload_tmp_dir directive, so the default /tmp gets used. See also these old bugs, where it seems to have been fixed, but now is broken again: http://bugs.php.net/bug.php?id=21885 http://bugs.php.net/bug.php?id=27559 Reproduce code: --- upload.php file: ?php error_reporting(E_ALL); ini_set('display_errors', 'on'); if( empty($_FILES) ) { ? !-- The data encoding type, enctype, MUST be specified as below -- form enctype=multipart/form-data action=upload.php method=POST !-- MAX_FILE_SIZE must precede the file input field -- input type=hidden name=MAX_FILE_SIZE value=3 / !-- Name of input element determines name in $_FILES array -- Send this file: input name=userfile type=file / input type=submit value=Send File / /form ?php } else { $uploadfile = dirname(__FILE__).'/upload_file.test'; echo 'pre'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo File is valid, and was successfully uploaded.\n; } else { echo Possible file upload attack!\n; } echo 'Here is some more debugging info:'; print_r($_FILES); print /pre; } ? Expected result: File upload. Actual result: -- Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/phpoNSKDN) is not within the allowed path(s): (/XXX) in ... -- Edit this bug report at http://bugs.php.net/?id=38934edit=1
#38934 [Com]: move_uploaded_file() cannot read uploaded file outside of open_basedir
ID: 38934 Comment by: Bjorn dot Wiberg at its dot uu dot se Reported By: phpbugs at thequod dot de Status: Open Bug Type: Safe Mode/open_basedir Operating System: Ubuntu Linux PHP Version: 5.1.6 New Comment: Same result on IBM AIX 5.2 ML8, although I'm using PHP 5.1.5 (no big difference) and have php_admin_value upload_tmp_dir none set (so it defaults to /tmp). ---8--- Warning: move_uploaded_file(): open_basedir restriction in effect. File(/tmp/phpP5moMa) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /apache/htdocs/bwiberg/test/safemode/upload.php on line 9 ---8--- As you can see, /tmp is not within open_basedir, but I think it should not need to be... ---8--- ?php // In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead // of $_FILES. $uploaddir = '/apache/htdocs/bwiberg/test/safemode/'; $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); echo 'pre'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo File is valid, and was successfully uploaded.\n; } else { echo Possible file upload attack!\n; } echo 'Here is some more debugging info:'; print_r($_FILES); print /pre; ? ---8--- Best regards, Björn Previous Comments: [2006-09-23 11:36:40] phpbugs at thequod dot de Description: According to the documentation PHP should be able to read the uploaded file, although it's outside the open_basedir directories: Note: move_uploaded_file() is both safe mode and open_basedir aware. However, restrictions are placed only on the destination path as to allow the moving of uploaded files in which filename may conflict with such restrictions. move_uploaded_file() ensures the safety of this operation by allowing only those files uploaded through PHP to be moved. However, I have to add /tmp to open_basedir - which is bad in terms of users would be allowed to access the files there! I've not explicitely set the upload_tmp_dir directive, so the default /tmp gets used. See also these old bugs, where it seems to have been fixed, but now is broken again: http://bugs.php.net/bug.php?id=21885 http://bugs.php.net/bug.php?id=27559 Reproduce code: --- upload.php file: ?php error_reporting(E_ALL); ini_set('display_errors', 'on'); if( empty($_FILES) ) { ? !-- The data encoding type, enctype, MUST be specified as below -- form enctype=multipart/form-data action=upload.php method=POST !-- MAX_FILE_SIZE must precede the file input field -- input type=hidden name=MAX_FILE_SIZE value=3 / !-- Name of input element determines name in $_FILES array -- Send this file: input name=userfile type=file / input type=submit value=Send File / /form ?php } else { $uploadfile = dirname(__FILE__).'/upload_file.test'; echo 'pre'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo File is valid, and was successfully uploaded.\n; } else { echo Possible file upload attack!\n; } echo 'Here is some more debugging info:'; print_r($_FILES); print /pre; } ? Expected result: File upload. Actual result: -- Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/phpoNSKDN) is not within the allowed path(s): (/XXX) in ... -- Edit this bug report at http://bugs.php.net/?id=38934edit=1