From: phpbugs at thequod dot de Operating system: Ubuntu Linux PHP version: 5.1.6 PHP Bug Type: Safe Mode/open_basedir Bug description: move_uploaded_file() cannot read uploaded file outside of open_basedir
Description: ------------ According to the documentation PHP should be able to read the uploaded file, although it's outside the open_basedir directories: """ Note: move_uploaded_file() is both safe mode and open_basedir aware. However, restrictions are placed only on the destination path as to allow the moving of uploaded files in which filename may conflict with such restrictions. move_uploaded_file() ensures the safety of this operation by allowing only those files uploaded through PHP to be moved. """ However, I have to add /tmp to open_basedir - which is bad in terms of users would be allowed to access the files there! I've not explicitely set the upload_tmp_dir directive, so the default "/tmp" gets used. See also these old bugs, where it seems to have been fixed, but now is broken again: http://bugs.php.net/bug.php?id=21885 http://bugs.php.net/bug.php?id=27559 Reproduce code: --------------- upload.php file: <?php error_reporting(E_ALL); ini_set('display_errors', 'on'); if( empty($_FILES) ) { ?> <!-- The data encoding type, enctype, MUST be specified as below --> <form enctype="multipart/form-data" action="upload.php" method="POST"> <!-- MAX_FILE_SIZE must precede the file input field --> <input type="hidden" name="MAX_FILE_SIZE" value="30000" /> <!-- Name of input element determines name in $_FILES array --> Send this file: <input name="userfile" type="file" /> <input type="submit" value="Send File" /> </form> <?php } else { $uploadfile = dirname(__FILE__).'/upload_file.test'; echo '<pre>'; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.\n"; } else { echo "Possible file upload attack!\n"; } echo 'Here is some more debugging info:'; print_r($_FILES); print "</pre>"; } ?> Expected result: ---------------- File upload. Actual result: -------------- Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/phpoNSKDN) is not within the allowed path(s): (/XXX) in ... -- Edit bug report at http://bugs.php.net/?id=38934&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=38934&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=38934&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=38934&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=38934&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=38934&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=38934&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=38934&r=needscript Try newer version: http://bugs.php.net/fix.php?id=38934&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=38934&r=support Expected behavior: http://bugs.php.net/fix.php?id=38934&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=38934&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=38934&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=38934&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38934&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=38934&r=dst IIS Stability: http://bugs.php.net/fix.php?id=38934&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=38934&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=38934&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=38934&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=38934&r=mysqlcfg
