From: Operating system: All PHP version: 5.3.8 Package: Filesystem function related Bug Type: Bug Bug description:Race condition in move_uploaded_file()
Description: ------------ There is a race condition in the move_uploaded_file() function: if you don't want to overwrite a file, the standard mechanism is: $fd = fopen($file,"x"); fclose($fd); move_uploaded_file($uploaded_file,$file); But since move_uploaded_file() unlink()s a file first, there may be a race condition: file gets created exclusively via fopen(â¦,"x"), move_uploaded_file() removes the same file and the process gets suspended. Another process creates the file via fopen(â¦,"x"), voila, race condition. Expected result: ---------------- We need a concurrency save implementation of move_uploaded_file(). This can be achieved by implementing a third parameter, boolean $dont_overwrite. When set to true, move_uploaded_file() will ensure that the file does not exist by using open(â¦,O_RDWR|O_CREAT|O_EXCL) and returning false in error case. The patch I attached does exactly this. Actual result: -------------- When two concurrent processes, they may overwrite the same file twice w/o the possibility to prevent it. -- Edit bug report at https://bugs.php.net/bug.php?id=55576&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=55576&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=55576&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=55576&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=55576&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=55576&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=55576&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=55576&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=55576&r=needscript Try newer version: https://bugs.php.net/fix.php?id=55576&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=55576&r=support Expected behavior: https://bugs.php.net/fix.php?id=55576&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=55576&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=55576&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=55576&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=55576&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=55576&r=dst IIS Stability: https://bugs.php.net/fix.php?id=55576&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=55576&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=55576&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=55576&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=55576&r=mysqlcfg