subject:"\[PHP\] file upload temp file is and isn't there"

[PHP] file upload temp file is and isn't there

2001-02-13 Thread Aaron D. Turner


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Solaris 7
Apache 1.3.14
PHP 4.0.4p1

For the life of me I can't figure out what's going on.  I have:

form enctype='multipart/form-data' action='/admin/upload.php' method='post'
input type=hidden name=MAX_FILE_SIZE value=5000
input type=hidden name=uploadingfile value=true
Choose File: input name=userfile size=69 type=fileP
input type=submit value='Send File'/form

and I can try to upload a file, but then the HTTP_POST_FILES hash doesn't
get properly populated and no file is stored in the upload
directory.  Basically:


HTTP_POST_FILES["userfile"]
Array
 (
 [name] =1323.txt
 [type] =text/plain
 [tmp_name] =none
 [size] = 0
 )
I've set my php.ini with: upload_tmp_dir  = /tmp 
and nothing gets put in there (I've verified that the dir has world r/w w/
suid).

Any ideas of how to debug this futher?

- -- 
Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org  URI:www.synfin.net
They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety. -- Benjamin Franklin

pub 1024D/F86EDAE6  Sig: 3167 CCD6 6081 0FFC B749  9A8F 8707 9817 F86E DAE6
All emails by me are PGP signed; a lack of a signature indicates a forgery.
I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80  596E 60BF 451B 20E8 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc

iEYEARECAAYFAjqJwWEACgkQhweYF/hu2uYnjgCfbXQVLYBwVnmAE5RHRxeTtdFI
YgAAoIf9w7fNcbFmxyT/LlRUHa3lHfqB
=Jqdm
-END PGP SIGNATURE-



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] file upload temp file is and isn't there

2001-02-13 Thread Michael McGlothlin


A lil clip from Devedge.. you need a VALUE="" field along w/ a NAME="" 
maybe?


This places an element on an HTML form that lets the user supply a file 
as input. When the form is submitted, the content of the specified file 
is sent to the server as the value portion of the name/value pair for 
this input element. Netscape Navigator displays a "Browse" button next 
to the file input element that lets users select a file from their 
system to use as the value of the file input element. *Navigator 2.0*

If a a form contains a file input element, the value of the ENCTYPE 
attribute of the FORM tag should be |"multipart/form-data"|.


Syntax

|INPUT TYPE="FILE"
  NAME="|/|name"
|/|  VALUE="|/|filename"
|/||

*/ NAME=name/*

specifies the name of the input element. This value is used as the
name portion of the name/value pair for this element that is sent to
the server when the form is submitted. The name is not displayed on
the form. 

*/ VALUE=filename/*

specifies the initial value of the input element. 


|FORM ENCTYPE="multipart/form-data" 
  ACTION="/cgi-bin/example.cgi" METHOD="POST"
 PFile name:
 INPUT TYPE="file"
/FORM|


Aaron D. Turner wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 Solaris 7
 Apache 1.3.14
 PHP 4.0.4p1
 
 For the life of me I can't figure out what's going on.  I have:
 
 form enctype='multipart/form-data' action='/admin/upload.php' method='post'
 input type=hidden name=MAX_FILE_SIZE value=5000
 input type=hidden name=uploadingfile value=true
 Choose File: input name=userfile size=69 type=fileP
 input type=submit value='Send File'/form
 
 and I can try to upload a file, but then the HTTP_POST_FILES hash doesn't
 get properly populated and no file is stored in the upload
 directory.  Basically:
 
 
 HTTP_POST_FILES["userfile"]
 Array
  (
  [name] =1323.txt
  [type] =text/plain
  [tmp_name] =none
  [size] = 0
  )
 I've set my php.ini with: upload_tmp_dir  = /tmp 
 and nothing gets put in there (I've verified that the dir has world r/w w/
 suid).
 
 Any ideas of how to debug this futher?
 
 - -- 
 Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org  URI:www.synfin.net
 They that can give up essential liberty to obtain a little temporary safety 
 deserve neither liberty nor safety. -- Benjamin Franklin
 
 pub 1024D/F86EDAE6  Sig: 3167 CCD6 6081 0FFC B749  9A8F 8707 9817 F86E DAE6
 All emails by me are PGP signed; a lack of a signature indicates a forgery.
 I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80  596E 60BF 451B 20E8 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.4 (GNU/Linux)
 Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
 
 iEYEARECAAYFAjqJwWEACgkQhweYF/hu2uYnjgCfbXQVLYBwVnmAE5RHRxeTtdFI
 YgAAoIf9w7fNcbFmxyT/LlRUHa3lHfqB
 =Jqdm
 -END PGP SIGNATURE-
 
 
 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] file upload temp file is and isn't there

2001-02-13 Thread Aaron D. Turner


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Tue, 13 Feb 2001, Michael McGlothlin wrote:

 A lil clip from Devedge.. you need a VALUE="" field along w/ a NAME="" 
 maybe?

A VALUE= isn't required for TYPE=file (and adding it didn't solve my
problem). 
 
 This places an element on an HTML form that lets the user supply a file 
 as input. When the form is submitted, the content of the specified file 
 is sent to the server as the value portion of the name/value pair for 
 this input element. Netscape Navigator displays a "Browse" button next 
 to the file input element that lets users select a file from their 
 system to use as the value of the file input element. *Navigator 2.0*

Yep, and if you look at the HTTP_POST_FILES hash you'll see that the
browser/form properly sent the filename.  The problem is with the
temporary file that isn't created/stored.  More specifically,
HTTP_POST_FILES[userfile][tmp_name] is set to 'none' when it should be
something like /tmp/abc123 and the size is 0.

- -- 
Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org  URI:www.synfin.net
They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety. -- Benjamin Franklin

pub 1024D/F86EDAE6  Sig: 3167 CCD6 6081 0FFC B749  9A8F 8707 9817 F86E DAE6
All emails by me are PGP signed; a lack of a signature indicates a forgery.
I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80  596E 60BF 451B 20E8 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc

iEYEARECAAYFAjqJyJEACgkQhweYF/hu2ua1gwCfU6P+ScZCxAKlOFqlAzcZLkX7
KoEAoJDPG7AvelXPlLusT3BME1EZQQX/
=is6w
-END PGP SIGNATURE-



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] file upload temp file is and isn't there

2001-02-13 Thread jason cox


Aaron,

Are you processing the file on the page you're
"posting" to?  Could you send your processing code so
we can have a look?  If you're still having problems,
I can send you an example.

Jason

--- "Aaron D. Turner" [EMAIL PROTECTED] wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 Solaris 7
 Apache 1.3.14
 PHP 4.0.4p1
 
 For the life of me I can't figure out what's going
 on.  I have:
 
 form enctype='multipart/form-data'
 action='/admin/upload.php' method='post'
 input type=hidden name=MAX_FILE_SIZE
 value=5000
 input type=hidden name=uploadingfile
 value=true
 Choose File: input name=userfile size=69
 type=fileP
 input type=submit value='Send File'/form
 
 and I can try to upload a file, but then the
 HTTP_POST_FILES hash doesn't
 get properly populated and no file is stored in the
 upload
 directory.  Basically:
 
 
 HTTP_POST_FILES["userfile"]
 Array
  (
  [name] =1323.txt
  [type] =text/plain
  [tmp_name] =none
  [size] = 0
  )
 I've set my php.ini with: upload_tmp_dir  = /tmp 
 and nothing gets put in there (I've verified that
 the dir has world r/w w/
 suid).
 
 Any ideas of how to debug this futher?
 
 - -- 
 Aaron Turner
 [EMAIL PROTECTED]|synfin.net|linuxkb.org 
 URI:www.synfin.net
 They that can give up essential liberty to obtain a
 little temporary safety 
 deserve neither liberty nor safety. -- Benjamin
 Franklin
 
 pub 1024D/F86EDAE6  Sig: 3167 CCD6 6081 0FFC B749 
 9A8F 8707 9817 F86E DAE6
 All emails by me are PGP signed; a lack of a
 signature indicates a forgery.
 I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80
  596E 60BF 451B 20E8 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.4 (GNU/Linux)
 Comment: Public key at:
 http://www.synfin.net/aturner/pgpkey.asc
 

iEYEARECAAYFAjqJwWEACgkQhweYF/hu2uYnjgCfbXQVLYBwVnmAE5RHRxeTtdFI
 YgAAoIf9w7fNcbFmxyT/LlRUHa3lHfqB
 =Jqdm
 -END PGP SIGNATURE-
 
 
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail:
 [EMAIL PROTECTED]
 For additional commands, e-mail:
 [EMAIL PROTECTED]
 To contact the list administrators, e-mail:
 [EMAIL PROTECTED]
 


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] file upload temp file is and isn't there

2001-02-13 Thread Aaron D. Turner


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On Tue, 13 Feb 2001, jason cox wrote:

 Aaron,
 
 Are you processing the file on the page you're
 "posting" to? 

Yep.  A little more info this time.  Ok this makes no freaking sense to
me:

I can upload my /etc/passwd file
- -rw-r--r--1 root root  998 Dec  9 01:44 /etc/passwd

I can't upload other random files in my home directory which I own/have
read access to.
- -rw-rw-r--1 aturner  aturner 84558 Jan  9 17:01 /home/aturner/1323.txt

  Could you send your processing code so
 we can have a look?  If you're still having problems,
 I can send you an example.

Sure:

?PHP
require "security.inc";  # checks user cookie to see if they have access
include "connect.inc";   # connects to database

function is_an_uploaded_file($filename) {
if (! $tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempname('', ''));
}
$tmp_file .= '/' . basename($filename);
# User might have trailing / in php.ini
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}

function abortupload($message) {
  echo "H1 align=center$message/H1";
  unlink ($HTTP_POST_FILES[userfile][tmp_name]);
  phpinfo();
  echo "/BODY/HTML";
  exit;
}
?

HTML
 HEAD
  TITLESunnyvale Staging Server/TITLE
 /HEAD
!-- Background white, links blue (unvisited), navy (visited), red (active) --
 BODY
  BGCOLOR="#FF"
  TEXT="#00"
  LINK="#FF"
  VLINK="#80"
  ALINK="#FF"
 
font size=-1[ a href="/"Main Index/a ]/font

?PHP
if ($uploadingfile == "") {
$line = "form enctype='multipart/form-data' action='/admin/upload.php' method='post'
input type=hidden name=MAX_FILE_SIZE value=5000
input type=hidden name=uploadingfile value=true
Choose upload location: select name=directory
option name=FilesFiles/option
option name=DocsDocumentation/option
/select\nP";
 echo $line;
 echo "Link Description: input type=text name=description size=80 value=''P\n";
 echo "Detailed Description:brtextarea wrap=soft name=info rows=5 
cols=80/textareaP\n";
 echo "input type=hidden name=urltype value=file";
 echo "Active: select name=activeoption value=yYes/optionoption 
value=nNo/optionoption value=sSubmitted/option/selectP\n";

 $result = mysql_query("SELECT * FROM groups");
 $line = "select name=urlgroup";
 while ($row = mysql_fetch_array($result)) {
   $line .= "option value=$row[groupID]$row[groupname] ($row[page])/option";
 }
 $line .= "/selectP\n";
# echo "Group: $line";
 echo "input type=hidden name=urlgroup value=1";
 echo "Choose File: input name=userfile size=69 type=file value=''P\n";
 echo "input type=submit value='Send File'/form";

} else {

$location = "";
if ($HTTP_POST_VARS[directory] = "Files") {
$location = "/usr/local/apache1.3.14/htdocs/Files";
} elseif ($HTTP_POST_VARS[directory] = "Docs") {
$location = "/usr/local/apache1.3.14/htdocs/Docs";
} else {
abortupload ("Error!  Invalid Directory value: $HTTP_POST_VARS[directory]");
}

if ($description == "") {
abortupload("Error!  Please provide a description for this document");
} elseif ($info == "") {
abortupload("Error!  Please provide information for this document");
}

if ($uploadfile = is_an_uploaded_file($userfile)) {
$uploadfile = $location . "/" . $HTTP_POST_FILES[userfile][name];
copy ($userfile, $uploadfile);

$result = mysql_query("SELECT * FROM users WHERE LoginName = '$loginname' 
LIMIT 1");
$userrow = mysql_fetch_array($result);

$url = "/" . $HTTP_POST_VARS[directory] . "/" . 
$HTTP_POST_FILES[userfile][name];
$mirror = 0;
$result = mysql_query("SELECT * FROM urls WHERE url = '$url'");
if ($existing = mysql_fetch_array($result)) {
  if ($existing[owner] != $userrow[UserID]) {
abortupload("Error: Your user ID doesn't have permission to modify 
this file.");
  } 
} else {
$result = mysql_query("INSERT INTO urls (owner, urlgroup, url, urldesc, info, 
active, mirror, urltype) VALUES ('$userrow[UserID]', '$HTTP_POST_VARS[urlgroup]', 
'$url', '$HTTP_POST_VARS[description]', '$HTTP_POST_VARS[info]', 
'$HTTP_POST_VARS[active]', '$mirror', '$HTTP_POST_VARS[urltype]')");

echo "H1 align=centerFile upload complete!/H1";
}
} else {
  abortupload("Possible file upload attack: filename: " . 
$HTTP_POST_FILES["userfile"]["name"] . ".");
}

}

?
/body
/html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc

iEYEARECAAYFAjqJ08sACgkQhweYF/hu2ubukACbBij1wtVYr1gTngdHsXgrKmOr
ai8AnicSOVkP6OS1qiwfSQBBPqmL566k
=kNOr
-END PGP SIGNATURE-



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] file upload temp file is and isn't there

2001-02-13 Thread Aaron D. Turner


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Ah, figured out the problem.  MAX_FILE_SIZE is in BYTES not
Kilobytes.  Any file 5K was killed.

- -- 
Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org  URI:www.synfin.net
They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety. -- Benjamin Franklin

pub 1024D/F86EDAE6  Sig: 3167 CCD6 6081 0FFC B749  9A8F 8707 9817 F86E DAE6
All emails by me are PGP signed; a lack of a signature indicates a forgery.
I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80  596E 60BF 451B 20E8 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc

iEYEARECAAYFAjqJ/gsACgkQhweYF/hu2ubzAACfRt9l+TvifIobJyOqs5UlvAA1
uS0AniXKKTuvazWZHCZeW5QZyXpHztnZ
=Zpnk
-END PGP SIGNATURE-



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] file upload temp file is and isn't there

Re: [PHP] file upload temp file is and isn't there

Re: [PHP] file upload temp file is and isn't there

Re: [PHP] file upload temp file is and isn't there

Re: [PHP] file upload temp file is and isn't there

Re: [PHP] file upload temp file is and isn't there

6 matches

Site Navigation

Mail list logo

Footer information