#41 Adding attachements under safe_mode

closed-out-of-date
None
5
2003-01-11
2002-08-22
Anonymous
No

When using safe_mode and open_basedir restrictions, then
src/compose.php is not allowed to move the uploaded attachement
from /tmp (standard) to the attachement dir.

The solution to add /tmp to the open_basedir is very unsave (session
files reside here too if not changed).

So a better solution is to use safe_mode and open_basedir and move
the uploded files with the function "move_uploaded_file()".

So here is my patch to squirrelmail 1.2.7 (attachement below)

Greets,
Windseeker
windseeker@gmx.net

Discussion

  • Logged In: NO

    Hmmm, attachement is gone.......

    Okay, here's the patch again:

    --- src/compose.php.orig Thu Aug 22 16:22:30 2002
    +++ src/compose.php Thu Aug 22 15:32:47 2002
    @@ -881,10 +881,8 @@
    $localfilename = GenerateRandomString(32, '', 7);
    $full_localfilename = "$hashed_attachment_dir/$localfilename";
    }
    - if (!@rename($HTTP_POST_FILES['attachfile']['tmp_name'],
    $full_localfilename)) {
    - if (!@copy($HTTP_POST_FILES['attachfile']['tmp_name'],
    $full_localfilename)) {
    - return true;
    - }
    + if
    (!@move_uploaded_file($HTTP_POST_FILES['attachfile']['tmp_name'],
    $full_localfilename)) {
    + return true;
    }

    $newAttachment['localfilename'] = $localfilename;

    Greets,
    Windseeker
    windseeker@gmx.net

     
  • Logged In: NO

    Are you sure??
    I am using a setup with:
    DocumentRoot /var/html/webmail/Squirrelpublichtml

    /var/html/webmail/data
    /var/html/webmail/tmp

    config.php
    $data_dir = '../../data/';
    $attachment_dir = "../../tmp/"

    php_admin_flag safe_mode on
    php_admin_value open_basedir "/web/webmail"

    And i have not problems handling attachement. Check your
    config! i think it is not necessary to change SM code.

     
  • Logged In: NO

    Yes, very sure. The only way, your config is able to work,
    is if you set your PHP upload_tmp_dir to a dir beneath
    your open_basedir. But by default, this is the system temp
    dir (usually /tmp) and no copy ore move command should
    be able to break through the open_basedir restriction and
    read or write to /tmp.

    Only move_uploaded_file() can do that.

    You should check your PHP security to find out, why you
    can do this.

    Furthermore, move_uploaded_file() simply it the function
    which was developed by php.net for exactly this purpose
    and does some security checks on the file to be moved.

    Greets,
    Windseeker
    windseeker@gmx.net

     
  • Logged In: YES
    user_id=285765

    Safe_mode is not supported yet, so I'm moving this to devel
    where it might be.

     
    • labels: 102905 -->
     
    • assigned_to: nobody --> kink
     
  • Logged In: YES
    user_id=285765

    Out of date, already fixed in devel. The php docs say btw
    that file uploading in safe_mode can be very hard.

     
    • status: open --> closed-out-of-date