From:             
Operating system: All
PHP version:      5.3.8
Package:          Filesystem function related
Bug Type:         Bug
Bug description:Race condition in move_uploaded_file()

Description:
------------
There is a race condition in the move_uploaded_file() function: if you
don't want 
to overwrite a file, the standard mechanism is:

$fd = fopen($file,"x");
fclose($fd);
move_uploaded_file($uploaded_file,$file);

But since move_uploaded_file() unlink()s a file first, there may be a race

condition: file gets created exclusively via fopen(…,"x"),
move_uploaded_file() 
removes the same file and the process gets suspended. Another process
creates the 
file via fopen(…,"x"), voila, race condition.

Expected result:
----------------
We need a concurrency save implementation of move_uploaded_file(). This can
be 
achieved by implementing a third parameter, boolean $dont_overwrite. When
set to 
true, move_uploaded_file() will ensure that the file does not exist by
using 
open(…,O_RDWR|O_CREAT|O_EXCL) and returning false in error case. The
patch I 
attached does exactly this.


Actual result:
--------------
When two concurrent processes, they may overwrite the same file twice w/o
the 
possibility to prevent it. 

-- 
Edit bug report at https://bugs.php.net/bug.php?id=55576&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=55576&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=55576&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=55576&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=55576&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=55576&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=55576&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=55576&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=55576&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=55576&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=55576&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=55576&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=55576&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=55576&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=55576&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=55576&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=55576&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=55576&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=55576&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=55576&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=55576&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=55576&r=mysqlcfg

Reply via email to