move_uploaded_file + safe_mode

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I would like to upload a file (via a form), then read that (temporary)
file and write the contents into a database. The first problem is that
open_basedir=/home/CUSTOMER so I can't just read it from /tmp.

That's why I used move_uploaded_file() to move the file

error_reporting (E_ALL);
// move file to DOMAIN's tmpdir
$client_name = $_FILES['uploadfile']['name'];
$dest = "/home/CUSTOMER/DOMAIN/tmp/$client_name";
move_uploaded_file($_FILES['uploadfile']['tmp_name'], $dest);

// read uploaded file
$tempfile = fopen("$dest","rb");
echo "contents of $client_name=" . fread ($tempfile,1024);


when I do the fopen I get an error:
Warning: SAFE MODE Restriction in effect. The script whose uid is 0 is not
allowed to access /home/CUSTOMER/DOMAIN/tmp/README.html owned by uid 33

This error is because move_uploaded_file() has created README.html
with www-data:www-data (instead of CUSTOMER:CUSTOMER):
-rw-------   1 www-data www-data    12733 Jul  9 14:17 README.html

Next I tried to login via ftp, and do a chmod on that file from there
(I found this trick on and it helped with such safe_mode
problems in the past), right after the call to move_uploaded_file():

// do a chmod 777 via ftp to work around a safe_mode problem
// (file-uploads are created with user=www-data, but on our server
// safe_mode is enabled, and so php-scripts may not open any files
// that are not owned by CUSTOMER:CUSTOMER)
// => we chmod 777 it via ftp so that we can read it
$path = "DOMAIN";
$conn = ftp_connect ("localhost");
$result = ftp_login ($conn, "CUSTOMER", "PASSWORD");
if (!$conn or !$result) { exit ("Couldn't login to ftp!"); }
if (!ftp_site ($conn, "chmod 0777 /DOMAIN/tmp/$client_name")) \{
 exit ("Couldn't do ftp_site!");
ftp_quit ($conn);
but then I get permission denied for the ftp-command:
Warning: ftp_site: /DOMAIN/tmp/README.html: Operation not permitted in
[...]/testupload.php on line 20
Couldn't do ftp_site!

thanks a lot,
Felix Natter

Re: move_uploaded_file + safe_mode

one  workaround I found is to use the php cgi binary for the file-upload
script, using suexec.

Felix Natter

Site Timeline