Bug #15928: move_uploaded_file() is unsafe running in safe-mode

[webmaster]

From:             [EMAIL PROTECTED]
Operating system: AIX
PHP version:      4.1.2
PHP Bug Type:     PHP options/info functions
Bug description:  move_uploaded_file() is unsafe running in safe-mode

Security issue in move_uploaded_file() while in safe-mode

We have different web-sites running on our server. Each of them
may prepare a directory in which files may be written using php-upload
and move_uploaded_file(). Our webserver runs with safe-mode-restriction.

The documentations says, as mentioned, that this is not unsafe.

Note: move_uploaded_file() is not affected by the normal
                       safe-mode UID-restrictions. This is not unsafe
because
                       move_uploaded_file() only operates on files
uploaded via PHP. 

In fact, it is. If I know a directory of another website which
allows to upload files via php, I'll be able to write a file to this
location,
offering an upload-script on my website. I could on this way put
offending files in someone elses website, who probably protectet his
php-upload-script with .htaccess.

I would suggest that move_uploaded_file() should be modified that
way, that files may only be moved to directories whose owner is the
same as the upload-script while safe-mode restriction applies. 
This approach would guarantee that nobody else as the people who 
offers an upload-script will be able to put files in the owners webspace.


After such a modification move_uploaded_file() will be really safe. At
present, it's not. It allows to skip safe-mode-restriction.

Kind regards and thanks for any feedback

Roberto
-- 
Edit bug report at http://bugs.php.net/?id=15928&edit=1
-- 
Fixed in CVS:        http://bugs.php.net/fix.php?id=15928&r=fixedcvs
Fixed in release:    http://bugs.php.net/fix.php?id=15928&r=alreadyfixed
Need backtrace:      http://bugs.php.net/fix.php?id=15928&r=needtrace
Try newer version:   http://bugs.php.net/fix.php?id=15928&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=15928&r=support
Expected behavior:   http://bugs.php.net/fix.php?id=15928&r=notwrong
Not enough info:     http://bugs.php.net/fix.php?id=15928&r=notenoughinfo
Submitted twice:     http://bugs.php.net/fix.php?id=15928&r=submittedtwice