Menu
▾
▴
#2322 (ok 2.11?) open_basedir with upload tmpdir outside
fixed
5
2014-08-18
2006-12-14
No
can someone confirm filr uploads with open_basedir restrictions does not work with no upload_tmp_dir set (on Windows)
open_basedir = "c:\\htdocs"
;upload_tmp_dir =
PHP 5.2.0 mod / Apach 2.0.55 / Windows XP
without open_basedir restriction file uploads work, with or without upload_tmp_dir set
p.s. marc, yes i am working on this - but my email account is offline since yesterday ...
Logged In: YES
user_id=210714
Originator: NO
Thanks Sebastian.
Do you want some testing done only on Windows?
Logged In: YES
user_id=1383652
Originator: NO
btw
some win users report in the help forum that win (XP?) is not working correctly without setting upload_tmp_dir in php.ini .
see
http://sourceforge.net/forum/message.php?msg_id=4060140
http://sourceforge.net/forum/message.php?msg_id=4039891
http://sourceforge.net/forum/message.php?msg_id=3951054
http://sourceforge.net/forum/message.php?msg_id=3851882
and more
Logged In: YES
user_id=326580
Originator: YES
ok - so we/i should add some check and warn the user if upload tmp dir is not set ...
another point: with open_basedir restrictions enabled and upload_tempdir outside of open_basedir i still get a php warning about "open_basedir restrictions blah blah ..." when using move_uploaded_file() - but it works, the file is moved and can be inserted into the table field ... wired ... is this a windows only problem?
@marc: by default there is a upload_tempdir set on non windows systems, only on windows is this directive left empty by default ...
Logged In: YES
user_id=1383652
Originator: NO
win2k, php5.14, mysql 5.021 :
####
open_basedir = D:/HTdocs
;upload_tmp_dir=
Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(c:\tmp\phpA7.tmp) is not within the allowed path(s): (D:/HTdocs) in D:\HTdocs\PmaTrunk\libraries\tbl_replace_fields.inc.php on line 45
Inserted rows: 1
SQL query: INSERT INTO `db~a` ( `c1` , `DATE` , `blobF` )
VALUES (
'c1ds1', '0', ''
);____________^ (bob field is empty instead of uploaded file content)
----
open_basedir = D:/HTdocs
upload_tmp_dir = D:/HTdocs/tmp
Inserted rows: 1
SQL query: INSERT INTO `db~a` (`c1`, `DATE`, `blobF`) VALUES ('open_basedir = D:/HTdocs , upload_tmp_dir = D:/HTdocs/tmp', '0', 0x2d2d207068704d7941646d696e2053514c2044756d700a2d2d2076657273696f6 ....
####
;open_basedir=
;upload_tmp_dir=
Inserted rows: 1
SQL query: INSERT INTO `db~a` (`c1`, `DATE`, `blobF`) VALUES ('without base_dir restriction', '0', 0x2d2d207068704d7941646d696e2053514c2044756d700a2d2d207665720322e31302e ....
Logged In: YES
user_id=1383652
Originator: NO
addition:
my tests were using pma trunk
>with open_basedir restrictions enabled and upload_tempdiroutside of open_basedir
---8<---
>but it works, the file is moved and can be inserted into the table field
not on my tests, blob is empty!
Logged In: YES
user_id=326580
Originator: YES
>> with open_basedir restrictions enabled and upload_tempdir _outside_ of open_basedir
>> i still get a php warning about "open_basedir restrictions blah blah ..." when using
>> move_uploaded_file()
>> but it works, the file is moved and can be inserted into the table field
>
> not on my tests, blob is empty!
open_basedir = c:\\htdocs
upload_tmp_dir = c:\\tmp
in general, not in PMA (with the current code) ...
Logged In: YES
user_id=1383652
Originator: NO
>in general,
what do you mean by that?
>not in PMA (with the current code) ...
what else?
i used the current PMA (trunk) code.
you asked if anyone could confirm, so i did the tests using the previously documented settings.
on *my* win2k system the tests delivered the expected results, especially if upload_temp_dir is blocked by the open_basedir setting the blob field is *not* poulated with uploded data.
perhaps i just didn't get the point.
Logged In: YES
user_id=210714
Originator: NO
Can we change this thread's subject to "open_basedir support"? There are many places where open_basedir is not correctly supported, for example in libraries/import.lib.php PMA_detectCompression(). It tries a fopen() which fails because the uploaded file has not yet been moved.
Maybe we need PMA_fopen() which would take care of move_uploaded_file() if necessary, sending the file to a configured subdir. Note: if the file is moved, maybe we should define some PMA_IMPORTED_FILE_PATH so that the rest of the code (see import.php) does not try to open $import_file again?
Logged In: YES
user_id=326580
Originator: YES
i have changed the code in the tbl_* - should work now
i tries to create the tmp subfolder if not exists and tmp upload folder is outside of open_basedir
i have found only two additional places where files can be uploaded:
[form] -> [target script]
display_import.lib.php -> import.php
sql_query_form.lib.php -> import.php
Logged In: YES
user_id=210714
Originator: NO
Sebastian,
did you commit?
Logged In: YES
user_id=326580
Originator: YES
2006-12-19 Sebastian Mendel <cybot_tm@users.sourceforge.net>
* tbl_change.php, tbl_replace.php, include/tbl_replace_fields.inc.php:
refactored: made register_globals independent; added documentation;
Logged In: YES
user_id=210714
Originator: NO
Sebastian,
I tested under Linux. In safe mode, the new code fails.
In non_safe mode, I get a permission denied for the mkdir. I failed to understand why :)
P.S. the new code should removed the need for FAQ 1.11 ?
Logged In: YES
user_id=210714
Originator: NO
Sebastian,
any progress on this?
Logged In: YES
user_id=326580
Originator: YES
please test SVN - added some more checks and detailed error messages in case of upload errors
tmp dir can only be created if webuser has execute ('x' rights for the phpMyAdmin folder ...
Logged In: YES
user_id=210714
Originator: NO
Ok I'm testing...
Logged In: YES
user_id=210714
Originator: NO
Test 1: open_basedir defined and safe_mode set to Off. It works but the web server's user must also have write access to the phpMyAdmin folder.
Logged In: YES
user_id=210714
Originator: NO
Test 2: open_basedir defined, safe_mode set to On. It works (same write need than test 1).
Sebastian, don't you think that asking that phpMyAdmin's folder be write-enabled for the web user, is too much on a shared server on which the admin sets open_basedir restrictions?
Logged In: YES
user_id=326580
Originator: YES
yes - as i wrote "tmp dir can only be created if webuser has execute ('x' rights for the phpMyAdmin folder" i would not suggest to enable this right on every installation - i just would make clear that this right is required to automatically create this folder if not existent
if this right is missing there should come up an error message - or not?
Logged In: YES
user_id=210714
Originator: NO
Sebastian,
you wrote about 'x' right, I am talking about the 'w' right.
Logged In: YES
user_id=326580
Originator: YES
oh sorry - i meant the right required to create new subdirs ... of course this the 'w' right ... ;-)
Logged In: YES
user_id=210714
Originator: NO
Sebastian,
I think that "normal" users on a shared server (where the admin has set an open_basedir restriction) are not allowed to do a chown of their PMA directory to the webuser. They might also not be able to do, say, a chmod 777 on a tmp directory if their ftp server does not allow chmod. Assume that in most cases they do not have shell access.
Logged In: YES
user_id=326580
Originator: YES
marc: i fully understand what you are saying - i know that in most cases creating this dir will fail - what i do not understand is why we are discussing this?
should i remove this lines? why? it is not a mistake to try to create this dir, or?
and if this dir is still missing, even after trying to create it, the user will get an error message, or not?
just tell me what you are expecting phpMyAdmin should do in this case but is not doing.
i am just a little bit confused not getting the point of this 'problem'.
Logged In: YES
user_id=210714
Originator: NO
Sebastian,
I expect that phpMyAdmin can allow uploading to a field, in all circumstances, but maybe I expect too much. In my case, I have defined open_basedir and I get a PHP warning: permission denied on the mkdir, perhaps we need @mkdir.
Then I get an error for the message, I think $GLOBALS['strFieldInsertFromFileTempDirNotExists'] does not exist. What was the message you intended for this? Just a pointer to FAQ 1.11 ?
Another thing I don't understand: is there a relation between open_basedir and upload_tmp_dir. Should the sysadmin always include the upload_tmp_dir inside the string defined as open_basedir?
It's OK for PMA to try to create this directory even if it will fail most of the times.
Logged In: YES
user_id=326580
Originator: YES
Marc - my canadian friend - :-) ,
as i read the PHP manual:
upload_tmp_dir can be outside of open_basedir - than you have to move_uploaded_file() inside open_basedir before you can access the uploaded file
i have a different opinion for using @ - it is not our fault if display_errors is enabled - and using @ makes much much much trouble finding the source for errors - at least phpMyAdmin could just disable display_errors instead of using this evil @
'strFieldInsertFromFileTempDirNotExists': pointer to FAQ 1.11, yes - i forgot - sorry