I have a problem related to php security measures and relative paths (should I post it in the security section maybe?)
I am uploading files to www.mywebsite.com/tmp_upload/
which is actually /1175/public_html/tmp_upload/
This is a Linux server running PHP. Unfortunately its not really easy to customize and I am not in powers to change it to a better company.
To allow file uploads into /1175/public_html/tmp_upload/, I need to create a php.ini file in /1175/public_html/cgi_bin
Here it is:
Code: Select all
; Whether to allow HTTP file uploads.
file_uploads = 1
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
upload_tmp_dir = "../tmp_upload"
; Maximum allowed size for uploaded files.
upload_max_filesize = 2MCode: Select all
Array
(
[uploadedfile] => Array
(
[name] => index.txt
[type] => text/plain
[tmp_name] => ../tmp_upload/php6VddXd
[error] => 0
[size] => 121
)
)I want to move the files to /1175/public_html/uploads. All my .php files are located in the website root, /1175/public_html/
Here are two pieces of code I have prepared for two scenarios. Firstly, do as all tutorials say:
Code: Select all
$target_path = "uploads/" . basename( $_FILES['uploadedfile']['name']);
move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path))So I think, "hey that's easy, i'll just remove the trailing ../"Warning: move_uploaded_file(../tmp_upload/php6VddXd) [function.move-uploaded-file]: failed to open stream: No such file or directory in /home/1/8/9/1175/1175/public_html/admin_global.php on line 157
Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '../tmp_upload/php6VddXd' to 'uploads/index.txt' in /home/1/8/9/1175/1175/public_html/admin_global.php on line 157
Code: Select all
$target_path = "uploads/" . basename( $_FILES['uploadedfile']['name']);
move_uploaded_file(substr(($_FILES['uploadedfile']['tmp_name']), 3), $target_path))For the first scenario, with unreachable path:
Code: Select all
is_uploaded_file($_FILES['uploadedfile']['tmp_name'])For the second scenario where removed the ../ so that I can actually reach the file,
Code: Select all
is_uploaded_file(substr(($_FILES['uploadedfile']['tmp_name']), 3))I tried writing in .ini "upload_tmp_dir = "/tmp"" and I've created tmp files with proper permissions everywhere I could, which is /1175/public_html/tmp and /1175/tmp but files could not be saved there (due to UPLOAD_ERR_NO_TMP_DIR)
I would appreciate your help, thank you
Amadeo