file not uploaded to the wanted location

See all posts See thread Reply

Re: file not uploaded to the wanted location new!
# Reply
by Tom, 17 years, 5 months ago
Hi Colin,

This is what my ISP suggests:

"PHP includes a function specifically to do what is described above and which works with "open_basedir" restrictions (that is partially why it
was created in the first place):
http://ca.php.net/manual/en/function.is-uploaded-file.php

Code should never be working out of the global temp directory since that would be a security issue (i.e. if you can access it directly, so can other
customers). It is the same concept as why user code should not have direct access to the global session directory.

So the upload class needs to use "is_uploaded_file()" and "move_uploaded_file()" for sanity checking and moving the upload to a local directory respectively. Any actual manipulation of the file definitely needs to happen locally in your account.

Here is what the uplaod class should be doing for its file test (assuming that "file_src_pathname" has been taken from the $_FILES array value for "tmp_name"):

if ($this->processed && !is_uploaded_file($this->file_src_pathname)) {
  $this->processed = false;
  $this->error = _("No source file. Can't carry on a process");
}

"file_exists()" can only access files which are within the "open_basedir" setting.

So I did that and tried another PDF upload, and I now get a different error:

file not uploaded to the wanted location
Error: Source file is not readable. Can't carry on a process

source is an uploaded file
- upload OK
- file name OK
- source variables
    file_src_name         : emrys_cv_jan2004.pdf
    file_src_name_body    : emrys_cv_jan2004
    file_src_name_ext     : pdf
    file_src_pathname     : /data/temp/phpG22U2X
    file_src_mime         : application/pdf
    file_src_size         : 1490859 (max= 134217728)
    file_src_error        : 0
process file to /data/in/b/beverley/www/select/locations/test/
- file size OK
- file mime OK : application/pdf
- file name safe format
- destination variables
    file_dst_path         : /data/in/b/beverley/www/select/locations/test/
    file_dst_name_body    : emrys_cv_jan2004
    file_dst_name_ext     : pdf
- image operation, keep extension
- checking for auto_rename
- destination file details
    file_dst_name         : emrys_cv_jan2004.pdf
    file_dst_pathname     : /data/in/b/beverley/www/select/locations/test/emrys_cv_jan2004.pdf
- emrys_cv_jan2004.pdf doesn't exist already

Maybe that will help isolate the problem.

TomReply
Re: file not uploaded to the wanted location new!
# Reply
by colin, 17 years, 5 months ago
Yes, yes, your ISP is totally right. However, the class still works with open_basedir since I have it enabled on one of my servers, and I can still upload and manipulate images; there must be a catch somewhere.

Regardless, I will modify the class so that it strictly only uses the two PHP functions is_uploaded_file() and move_uploaded_file() to retrieve the file. It is a bit annoying since we need a temp directory, to copy the image before we can manipulate it, etc... but I will not make it compulsory, so you can switch to the new behaviour only if the original behaviour does not work.

This said, I can't work on it right now, I am very busy. I wish I could provide you with a quick fix, but unfortunately it requires substantial changes.
Since the class is maintained on my free time, I can't prioritize it very high... Still, you might want to sponsor this change, which then would convince me to do it quickly ;)Reply
Re: file not uploaded to the wanted location new!
# Reply
by Tom, 17 years, 5 months ago
Thanks, Colin, I've made a donation.

TomReply
Re: file not uploaded to the wanted location new!
# Reply
by colin, 17 years, 5 months ago
Donation received, and much appreciated. I will be working on a new version, and attempt to fix the open_basedir problem for you.Reply