move_uploaded_file

Am I just drunk or blind or the documentation is simply wrong?

From the official doc
(http://uk2.php.net/manual/en/function.move-uploaded-file.ph p):

$uploads_dir = '/uploads';
foreach ($_FILES["pictures"]["error"] as $key => $error) {
if ($error == UPLOAD_ERR_OK) {
$tmp_name = $_FILES["pictures"]["tmp_name"][$key];
$name = $_FILES["pictures"]["name"][$key];
move_uploaded_file($tmp_name, "$uploads_dir/$name");
}
}
?>

The path for the upload dir should be a relative one, not an absolute one.

Roberto Aloi
http://aloiroberto.wordpress.com
Twitter: @prof3ta

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: move_uploaded_file

You should be able to use either an absolute or relative path. In the
code below, the path specified is absolute (it starts with /). If you
want it to be relative to your current directory, change the line to:

$uploads_dir = 'uploads'; or $uploads_dir = '../uploads';

So basically, it all depends on how you define your path.

Joseph


Roberto wrote:
> Am I just drunk or blind or the documentation is simply wrong?
>
> >From the official doc
> (http://uk2.php.net/manual/en/function.move-uploaded-file.ph p):
>
> > $uploads_dir = '/uploads';
> foreach ($_FILES["pictures"]["error"] as $key => $error) {
> if ($error == UPLOAD_ERR_OK) {
> $tmp_name = $_FILES["pictures"]["tmp_name"][$key];
> $name = $_FILES["pictures"]["name"][$key];
> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> }
> }
> ?>
>
> The path for the upload dir should be a relative one, not an absolute one.
>
> Roberto Aloi
> http://aloiroberto.wordpress.com
> Twitter: @prof3ta
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: move_uploaded_file

HI,

Premise 1:
echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool"

Premise 2:
I have an "upload" folder with 777 permissions under:
/home/prof3ta/projects/moodle/htdocs/upload

Premise 3:
The server root is obviously htdocs:
/home/prof3ta/projects/moodle/htdocs

This said, the following doesn't work:

$uploads_dir = "/upload";
$tmp_name = $_FILES["file"]["tmp_name"];
$name = $_FILES["file"]["name"];
move_uploaded_file($tmp_name, "$uploads_dir/$name");
?>

The following does work:

$uploads_dir = "../upload";
$tmp_name = $_FILES["file"]["tmp_name"];
$name = $_FILES["file"]["name"];
move_uploaded_file($tmp_name, "$uploads_dir/$name");
?>

I consider it as a documentation bug (in the sample code they use an
absolute path).
I indeed believe I *should* be able to use both of them if not
documented otherwise.
I will dig into the C implementation of the move_uploaded_file
function and I'll check, though.

Cheers,

Roberto Aloi
http://aloiroberto.wordpress.com
Twitter: @prof3ta

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: move_uploaded_file

When used in PHP, an absolute path does not go off the web root. In
Premise 3 below, an absolute path of "/upload" will NOT bring up the
directory "/home/prof3ta/projects/moodle/htdocs/upload" but rather
simply "/upload" In Windows terms, an absolute path would be
"C:\upload" versus "C:\home\prof3ta\projects\moodle\htdocs\upload". The
only time an absolute path is figured relative to the web root is when
it is referenced in a browser. At this point, for all intents and
purposes, it locates the file based on the web root. This is a
fundamental difference between absolute and relative paths.

Absolute: begins at "/" in Linux operating systems and "C:\" in Windows OS
Relative: begins wherever the running script is located in the file system.

Joseph

Roberto wrote:
> HI,
>
> Premise 1:
> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool"
>
> Premise 2:
> I have an "upload" folder with 777 permissions under:
> /home/prof3ta/projects/moodle/htdocs/upload
>
> Premise 3:
> The server root is obviously htdocs:
> /home/prof3ta/projects/moodle/htdocs
>
> This said, the following doesn't work:
>
> > $uploads_dir = "/upload";
> $tmp_name = $_FILES["file"]["tmp_name"];
> $name = $_FILES["file"]["name"];
> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> ?>
>
> The following does work:
>
> > $uploads_dir = "../upload";
> $tmp_name = $_FILES["file"]["tmp_name"];
> $name = $_FILES["file"]["name"];
> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> ?>
>
> I consider it as a documentation bug (in the sample code they use an
> absolute path).
> I indeed believe I *should* be able to use both of them if not
> documented otherwise.
> I will dig into the C implementation of the move_uploaded_file
> function and I'll check, though.
>
> Cheers,
>
> Roberto Aloi
> http://aloiroberto.wordpress.com
> Twitter: @prof3ta
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: move_uploaded_file

Hi Joseph,

I'm perfectly fine with the concepts of absolute/relative path and
webroot, trust me.
For me it was just unclear from the documentation the fact that the
"target path" in the move_uploaded_file function was "absolute" with
respect to the file system and not to the "webroot".
At the beginning I thought the function itself was taking care about
adding the server root on its own to that path.
Thinking carefully, it makes perfectly sense for the function to
behave the way it actually does, since otherwise it would be
impossible to get these files out of the server root in file system
terms.
Just, this should be written in CAPITAL LETTERS in the documentation.
Thanks for the interest,

Roberto Aloi
http://aloiroberto.wordpress.com
Twitter: @prof3ta

> When used in PHP, an absolute path does not go off the web root.=A0In Pre=
mise
> 3 below, an absolute path of "/upload" will NOT bring up the directory
> "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/upload"
> =A0In Windows terms, an absolute path would be "C:\upload" versus
> "C:\home\prof3ta\projects\moodle\htdocs\upload". =A0The only time an abso=
lute
> path is figured relative to the web root is when it is referenced in a
> browser. =A0At this point, for all intents and purposes, it locates the f=
ile
> based on the web root. =A0This is a fundamental difference between absolu=
te
> and relative paths.
>
> Absolute: =A0begins at "/" in Linux operating systems and "C:\" in Window=
s OS
> Relative: =A0begins wherever the running script is located in the file sy=
stem.
>
> Joseph
>
> Roberto wrote:
>>
>> HI,
>>
>> Premise 1:
>> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool=
"
>>
>> Premise 2:
>> I have an "upload" folder with 777 permissions under:
>> /home/prof3ta/projects/moodle/htdocs/upload
>>
>> Premise 3:
>> The server root is obviously htdocs:
>> /home/prof3ta/projects/moodle/htdocs
>>
>> This said, the following doesn't work:
>>
>> >> $uploads_dir =3D "/upload";
>> $tmp_name =3D $_FILES["file"]["tmp_name"];
>> $name =3D $_FILES["file"]["name"];
>> move_uploaded_file($tmp_name, "$uploads_dir/$name");
>> ?>
>>
>> The following does work:
>>
>> >> $uploads_dir =3D "../upload";
>> $tmp_name =3D $_FILES["file"]["tmp_name"];
>> $name =3D $_FILES["file"]["name"];
>> move_uploaded_file($tmp_name, "$uploads_dir/$name");
>> ?>
>>
>> I consider it as a documentation bug (in the sample code they use an
>> absolute path).
>> I indeed believe I *should* be able to use both of them if not
>> documented otherwise.
>> I will dig into the C implementation of the move_uploaded_file
>> function and I'll check, though.
>>
>> Cheers,
>>
>> Roberto Aloi
>> http://aloiroberto.wordpress.com
>> Twitter: @prof3ta
>>
>>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: move_uploaded_file

--=-ZuBUNawv0rbo7KIJoF5U
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Fri, 2009-12-11 at 22:14 +0000, Roberto wrote:

> Hi Joseph,
>
> I'm perfectly fine with the concepts of absolute/relative path and
> webroot, trust me.
> For me it was just unclear from the documentation the fact that the
> "target path" in the move_uploaded_file function was "absolute" with
> respect to the file system and not to the "webroot".
> At the beginning I thought the function itself was taking care about
> adding the server root on its own to that path.
> Thinking carefully, it makes perfectly sense for the function to
> behave the way it actually does, since otherwise it would be
> impossible to get these files out of the server root in file system
> terms.
> Just, this should be written in CAPITAL LETTERS in the documentation.
> Thanks for the interest,
>
> Roberto Aloi
> http://aloiroberto.wordpress.com
> Twitter: @prof3ta
>
> > When used in PHP, an absolute path does not go off the web root. In Premise
> > 3 below, an absolute path of "/upload" will NOT bring up the directory
> > "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/upload"
> > In Windows terms, an absolute path would be "C:\upload" versus
> > "C:\home\prof3ta\projects\moodle\htdocs\upload". The only time an absolute
> > path is figured relative to the web root is when it is referenced in a
> > browser. At this point, for all intents and purposes, it locates the file
> > based on the web root. This is a fundamental difference between absolute
> > and relative paths.
> >
> > Absolute: begins at "/" in Linux operating systems and "C:\" in Windows OS
> > Relative: begins wherever the running script is located in the file system.
> >
> > Joseph
> >
> > Roberto wrote:
> >>
> >> HI,
> >>
> >> Premise 1:
> >> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool"
> >>
> >> Premise 2:
> >> I have an "upload" folder with 777 permissions under:
> >> /home/prof3ta/projects/moodle/htdocs/upload
> >>
> >> Premise 3:
> >> The server root is obviously htdocs:
> >> /home/prof3ta/projects/moodle/htdocs
> >>
> >> This said, the following doesn't work:
> >>
> >> > >> $uploads_dir = "/upload";
> >> $tmp_name = $_FILES["file"]["tmp_name"];
> >> $name = $_FILES["file"]["name"];
> >> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> >> ?>
> >>
> >> The following does work:
> >>
> >> > >> $uploads_dir = "../upload";
> >> $tmp_name = $_FILES["file"]["tmp_name"];
> >> $name = $_FILES["file"]["name"];
> >> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> >> ?>
> >>
> >> I consider it as a documentation bug (in the sample code they use an
> >> absolute path).
> >> I indeed believe I *should* be able to use both of them if not
> >> documented otherwise.
> >> I will dig into the C implementation of the move_uploaded_file
> >> function and I'll check, though.
> >>
> >> Cheers,
> >>
> >> Roberto Aloi
> >> http://aloiroberto.wordpress.com
> >> Twitter: @prof3ta
> >>
> >>
> >
>


I've never had any issue with the documentation for this function. I
think it might just be an issue with interpretation? :p

Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-ZuBUNawv0rbo7KIJoF5U--

Re: move_uploaded_file

--=-uDMd8ZveWfCRbfVhHF2m
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Sat, 2009-12-12 at 11:49 +0000, Roberto Aloi wrote:

> This is exactly what I mean.
> Documentation should never leave room to interpretation.
> At least, this is what I think.
>
> Roberto Aloi
>
> On 11 Dec 2009, at 22:36, Ashley Sheridan
> wrote:
>
> > On Fri, 2009-12-11 at 22:14 +0000, Roberto wrote:
> >>
> >> Hi Joseph,
> >>
> >> I'm perfectly fine with the concepts of absolute/relative path and
> >> webroot, trust me.
> >> For me it was just unclear from the documentation the fact that the
> >> "target path" in the move_uploaded_file function was "absolute" with
> >> respect to the file system and not to the "webroot".
> >> At the beginning I thought the function itself was taking care about
> >> adding the server root on its own to that path.
> >> Thinking carefully, it makes perfectly sense for the function to
> >> behave the way it actually does, since otherwise it would be
> >> impossible to get these files out of the server root in file system
> >> terms.
> >> Just, this should be written in CAPITAL LETTERS in the documentation.
> >> Thanks for the interest,
> >>
> >> Roberto Aloi
> >> http://aloiroberto.wordpress.com
> >> Twitter: @prof3ta
> >>
> >> > When used in PHP, an absolute path does not go off the web root.
> >> In Premise
> >> > 3 below, an absolute path of "/upload" will NOT bring up the
> >> directory
> >> > "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/
> >> upload"
> >> > In Windows terms, an absolute path would be "C:\upload" versus
> >> > "C:\home\prof3ta\projects\moodle\htdocs\upload". The only time
> >> an absolute
> >> > path is figured relative to the web root is when it is referenced
> >> in a
> >> > browser. At this point, for all intents and purposes, it locates
> >> the file
> >> > based on the web root. This is a fundamental difference between
> >> absolute
> >> > and relative paths.
> >> >
> >> > Absolute: begins at "/" in Linux operating systems and "C:\" in
> >> Windows OS
> >> > Relative: begins wherever the running script is located in the
> >> file system.
> >> >
> >> > Joseph
> >> >
> >> > Roberto wrote:
> >> >>
> >> >> HI,
> >> >>
> >> >> Premise 1:
> >> >> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/
> >> feedback_tool"
> >> >>
> >> >> Premise 2:
> >> >> I have an "upload" folder with 777 permissions under:
> >> >> /home/prof3ta/projects/moodle/htdocs/upload
> >> >>
> >> >> Premise 3:
> >> >> The server root is obviously htdocs:
> >> >> /home/prof3ta/projects/moodle/htdocs
> >> >>
> >> >> This said, the following doesn't work:
> >> >>
> >> >> > >> >> $uploads_dir = "/upload";
> >> >> $tmp_name = $_FILES["file"]["tmp_name"];
> >> >> $name = $_FILES["file"]["name"];
> >> >> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> >> >> ?>
> >> >>
> >> >> The following does work:
> >> >>
> >> >> > >> >> $uploads_dir = "../upload";
> >> >> $tmp_name = $_FILES["file"]["tmp_name"];
> >> >> $name = $_FILES["file"]["name"];
> >> >> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> >> >> ?>
> >> >>
> >> >> I consider it as a documentation bug (in the sample code they
> >> use an
> >> >> absolute path).
> >> >> I indeed believe I *should* be able to use both of them if not
> >> >> documented otherwise.
> >> >> I will dig into the C implementation of the move_uploaded_file
> >> >> function and I'll check, though.
> >> >>
> >> >> Cheers,
> >> >>
> >> >> Roberto Aloi
> >> >> http://aloiroberto.wordpress.com
> >> >> Twitter: @prof3ta
> >> >>
> >> >>
> >> >
> >>
> >
> > I've never had any issue with the documentation for this function. I
> > think it might just be an issue with interpretation? :p
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >


I can't see where you would find fault with the documentation though, as
all the PHP file functions require either an absolute path from the root
(not web root) or a relative one from the script performing the action.

Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-uDMd8ZveWfCRbfVhHF2m--

Re: move_uploaded_file

--Apple-Mail-2-991016554
Content-Type: text/plain;
charset=us-ascii;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit

This is exactly what I mean.
Documentation should never leave room to interpretation.
At least, this is what I think.

Roberto Aloi

On 11 Dec 2009, at 22:36, Ashley Sheridan
wrote:

> On Fri, 2009-12-11 at 22:14 +0000, Roberto wrote:
>>
>> Hi Joseph,
>>
>> I'm perfectly fine with the concepts of absolute/relative path and
>> webroot, trust me.
>> For me it was just unclear from the documentation the fact that the
>> "target path" in the move_uploaded_file function was "absolute" with
>> respect to the file system and not to the "webroot".
>> At the beginning I thought the function itself was taking care about
>> adding the server root on its own to that path.
>> Thinking carefully, it makes perfectly sense for the function to
>> behave the way it actually does, since otherwise it would be
>> impossible to get these files out of the server root in file system
>> terms.
>> Just, this should be written in CAPITAL LETTERS in the documentation.
>> Thanks for the interest,
>>
>> Roberto Aloi
>> http://aloiroberto.wordpress.com
>> Twitter: @prof3ta
>>
>> > When used in PHP, an absolute path does not go off the web root.
>> In Premise
>> > 3 below, an absolute path of "/upload" will NOT bring up the
>> directory
>> > "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/
>> upload"
>> > In Windows terms, an absolute path would be "C:\upload" versus
>> > "C:\home\prof3ta\projects\moodle\htdocs\upload". The only time
>> an absolute
>> > path is figured relative to the web root is when it is referenced
>> in a
>> > browser. At this point, for all intents and purposes, it locates
>> the file
>> > based on the web root. This is a fundamental difference between
>> absolute
>> > and relative paths.
>> >
>> > Absolute: begins at "/" in Linux operating systems and "C:\" in
>> Windows OS
>> > Relative: begins wherever the running script is located in the
>> file system.
>> >
>> > Joseph
>> >
>> > Roberto wrote:
>> >>
>> >> HI,
>> >>
>> >> Premise 1:
>> >> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/
>> feedback_tool"
>> >>
>> >> Premise 2:
>> >> I have an "upload" folder with 777 permissions under:
>> >> /home/prof3ta/projects/moodle/htdocs/upload
>> >>
>> >> Premise 3:
>> >> The server root is obviously htdocs:
>> >> /home/prof3ta/projects/moodle/htdocs
>> >>
>> >> This said, the following doesn't work:
>> >>
>> >> >> >> $uploads_dir = "/upload";
>> >> $tmp_name = $_FILES["file"]["tmp_name"];
>> >> $name = $_FILES["file"]["name"];
>> >> move_uploaded_file($tmp_name, "$uploads_dir/$name");
>> >> ?>
>> >>
>> >> The following does work:
>> >>
>> >> >> >> $uploads_dir = "../upload";
>> >> $tmp_name = $_FILES["file"]["tmp_name"];
>> >> $name = $_FILES["file"]["name"];
>> >> move_uploaded_file($tmp_name, "$uploads_dir/$name");
>> >> ?>
>> >>
>> >> I consider it as a documentation bug (in the sample code they
>> use an
>> >> absolute path).
>> >> I indeed believe I *should* be able to use both of them if not
>> >> documented otherwise.
>> >> I will dig into the C implementation of the move_uploaded_file
>> >> function and I'll check, though.
>> >>
>> >> Cheers,
>> >>
>> >> Roberto Aloi
>> >> http://aloiroberto.wordpress.com
>> >> Twitter: @prof3ta
>> >>
>> >>
>> >
>>
>
> I've never had any issue with the documentation for this function. I
> think it might just be an issue with interpretation? :p
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>

--Apple-Mail-2-991016554--

Re: Re: move_uploaded_file

It's also a security flaw... php should be chrooted to the webroot! Or
it should be chrooted to the users home directory. Especially on windows
systems where security is not so strict.

My 2 cents,
Carl.

Roberto wrote:
> Hi Joseph,
>
> I'm perfectly fine with the concepts of absolute/relative path and
> webroot, trust me.
> For me it was just unclear from the documentation the fact that the
> "target path" in the move_uploaded_file function was "absolute" with
> respect to the file system and not to the "webroot".
> At the beginning I thought the function itself was taking care about
> adding the server root on its own to that path.
> Thinking carefully, it makes perfectly sense for the function to
> behave the way it actually does, since otherwise it would be
> impossible to get these files out of the server root in file system
> terms.
> Just, this should be written in CAPITAL LETTERS in the documentation.
> Thanks for the interest,
>
> Roberto Aloi
> http://aloiroberto.wordpress.com
> Twitter: @prof3ta
>
>
>> When used in PHP, an absolute path does not go off the web root. In Premise
>> 3 below, an absolute path of "/upload" will NOT bring up the directory
>> "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/upload"
>> In Windows terms, an absolute path would be "C:\upload" versus
>> "C:\home\prof3ta\projects\moodle\htdocs\upload". The only time an absolute
>> path is figured relative to the web root is when it is referenced in a
>> browser. At this point, for all intents and purposes, it locates the file
>> based on the web root. This is a fundamental difference between absolute
>> and relative paths.
>>
>> Absolute: begins at "/" in Linux operating systems and "C:\" in Windows OS
>> Relative: begins wherever the running script is located in the file system.
>>
>> Joseph
>>
>> Roberto wrote:
>>
>>> HI,
>>>
>>> Premise 1:
>>> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool"
>>>
>>> Premise 2:
>>> I have an "upload" folder with 777 permissions under:
>>> /home/prof3ta/projects/moodle/htdocs/upload
>>>
>>> Premise 3:
>>> The server root is obviously htdocs:
>>> /home/prof3ta/projects/moodle/htdocs
>>>
>>> This said, the following doesn't work:
>>>
>>> >>> $uploads_dir =/upload";
>>> $tmp_name =_FILES["file"]["tmp_name"];
>>> $name =_FILES["file"]["name"];
>>> move_uploaded_file($tmp_name, "$uploads_dir/$name");
>>> ?>
>>>
>>> The following does work:
>>>
>>> >>> $uploads_dir =../upload";
>>> $tmp_name =_FILES["file"]["tmp_name"];
>>> $name =_FILES["file"]["name"];
>>> move_uploaded_file($tmp_name, "$uploads_dir/$name");
>>> ?>
>>>
>>> I consider it as a documentation bug (in the sample code they use an
>>> absolute path).
>>> I indeed believe I *should* be able to use both of them if not
>>> documented otherwise.
>>> I will dig into the C implementation of the move_uploaded_file
>>> function and I'll check, though.
>>>
>>> Cheers,
>>>
>>> Roberto Aloi
>>> http://aloiroberto.wordpress.com
>>> Twitter: @prof3ta
>>>
>>>
>>>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: move_uploaded_file

--=-JEaIGtTXKwYDpN7fDv9b
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Sat, 2009-12-12 at 09:42 -0500, Carl Furst wrote:

> It's also a security flaw... php should be chrooted to the webroot! Or
> it should be chrooted to the users home directory. Especially on windows
> systems where security is not so strict.
>
> My 2 cents,
> Carl.
>
> Roberto wrote:
> > Hi Joseph,
> >
> > I'm perfectly fine with the concepts of absolute/relative path and
> > webroot, trust me.
> > For me it was just unclear from the documentation the fact that the
> > "target path" in the move_uploaded_file function was "absolute" with
> > respect to the file system and not to the "webroot".
> > At the beginning I thought the function itself was taking care about
> > adding the server root on its own to that path.
> > Thinking carefully, it makes perfectly sense for the function to
> > behave the way it actually does, since otherwise it would be
> > impossible to get these files out of the server root in file system
> > terms.
> > Just, this should be written in CAPITAL LETTERS in the documentation.
> > Thanks for the interest,
> >
> > Roberto Aloi
> > http://aloiroberto.wordpress.com
> > Twitter: @prof3ta
> >
> >
> >> When used in PHP, an absolute path does not go off the web root. In Premise
> >> 3 below, an absolute path of "/upload" will NOT bring up the directory
> >> "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/upload"
> >> In Windows terms, an absolute path would be "C:\upload" versus
> >> "C:\home\prof3ta\projects\moodle\htdocs\upload". The only time an absolute
> >> path is figured relative to the web root is when it is referenced in a
> >> browser. At this point, for all intents and purposes, it locates the file
> >> based on the web root. This is a fundamental difference between absolute
> >> and relative paths.
> >>
> >> Absolute: begins at "/" in Linux operating systems and "C:\" in Windows OS
> >> Relative: begins wherever the running script is located in the file system.
> >>
> >> Joseph
> >>
> >> Roberto wrote:
> >>
> >>> HI,
> >>>
> >>> Premise 1:
> >>> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool"
> >>>
> >>> Premise 2:
> >>> I have an "upload" folder with 777 permissions under:
> >>> /home/prof3ta/projects/moodle/htdocs/upload
> >>>
> >>> Premise 3:
> >>> The server root is obviously htdocs:
> >>> /home/prof3ta/projects/moodle/htdocs
> >>>
> >>> This said, the following doesn't work:
> >>>
> >>> > >>> $uploads_dir =/upload";
> >>> $tmp_name =_FILES["file"]["tmp_name"];
> >>> $name =_FILES["file"]["name"];
> >>> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> >>> ?>
> >>>
> >>> The following does work:
> >>>
> >>> > >>> $uploads_dir =../upload";
> >>> $tmp_name =_FILES["file"]["tmp_name"];
> >>> $name =_FILES["file"]["name"];
> >>> move_uploaded_file($tmp_name, "$uploads_dir/$name");
> >>> ?>
> >>>
> >>> I consider it as a documentation bug (in the sample code they use an
> >>> absolute path).
> >>> I indeed believe I *should* be able to use both of them if not
> >>> documented otherwise.
> >>> I will dig into the C implementation of the move_uploaded_file
> >>> function and I'll check, though.
> >>>
> >>> Cheers,
> >>>
> >>> Roberto Aloi
> >>> http://aloiroberto.wordpress.com
> >>> Twitter: @prof3ta
> >>>
> >>>
> >>>
>


Then hundreds of apps that use PHP to deliver files outside of web root
after a user has passed security validation would fail to work, and that
is just to name one specific example, as it's something I've used on
many sites. You'd lose access to a whole host of shell functionality,
because often the programs people call from the shell are not in the
PATH env variable for the user that Apache runs under (this is different
from the include path that Apache or PHP itself has). In my opinion,
chrooting PHP to the web root would cause major problems.

Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-JEaIGtTXKwYDpN7fDv9b--

Re: move_uploaded_file

Depends on the configuration. If I have a bunch of web sites and they
are all using files created, written and executed by the apache user,
when the apache process sudo execs the php from a specific web root I
want it to stay in that root. I don't want it to be able to write files
to another web root.

Believe me, I know administrators who have issues with php precisely
because of this. It is especially true if you are using VirtualHosts.
And even more true if you are using VirtualHosts with different users
controlling those hosts. You a) have to be very careful about users,
groups and permissions or b) chroot your php process. a) is much much
simpler.. as long as the apache process can read the files you're
golden. However on Windows, this is, of course, impossible; or at least
very highly improbable.

C.


Ashley Sheridan wrote:
> On Sat, 2009-12-12 at 09:42 -0500, Carl Furst wrote:
>> It's also a security flaw... php should be chrooted to the webroot! Or
>> it should be chrooted to the users home directory. Especially on windows
>> systems where security is not so strict.
>>
>> My 2 cents,
>> Carl.
>>
>> Roberto wrote:
>> > Hi Joseph,
>> >
>> > I'm perfectly fine with the concepts of absolute/relative path and
>> > webroot, trust me.
>> > For me it was just unclear from the documentation the fact that the
>> > "target path" in the move_uploaded_file function was "absolute" with
>> > respect to the file system and not to the "webroot".
>> > At the beginning I thought the function itself was taking care about
>> > adding the server root on its own to that path.
>> > Thinking carefully, it makes perfectly sense for the function to
>> > behave the way it actually does, since otherwise it would be
>> > impossible to get these files out of the server root in file system
>> > terms.
>> > Just, this should be written in CAPITAL LETTERS in the documentation.
>> > Thanks for the interest,
>> >
>> > Roberto Aloi
>> > http://aloiroberto.wordpress.com
>> > Twitter: @prof3ta
>> >
>> >
>> >> When used in PHP, an absolute path does not go off the web root. In Premise
>> >> 3 below, an absolute path of "/upload" will NOT bring up the directory
>> >> "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/upload"
>> >> In Windows terms, an absolute path would be "C:\upload" versus
>> >> "C:\home\prof3ta\projects\moodle\htdocs\upload". The only time an absolute
>> >> path is figured relative to the web root is when it is referenced in a
>> >> browser. At this point, for all intents and purposes, it locates the file
>> >> based on the web root. This is a fundamental difference between absolute
>> >> and relative paths.
>> >>
>> >> Absolute: begins at "/" in Linux operating systems and "C:\" in Windows OS
>> >> Relative: begins wherever the running script is located in the file system.
>> >>
>> >> Joseph
>> >>
>> >> Roberto wrote:
>> >>
>> >>> HI,
>> >>>
>> >>> Premise 1:
>> >>> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool"
>> >>>
>> >>> Premise 2:
>> >>> I have an "upload" folder with 777 permissions under:
>> >>> /home/prof3ta/projects/moodle/htdocs/upload
>> >>>
>> >>> Premise 3:
>> >>> The server root is obviously htdocs:
>> >>> /home/prof3ta/projects/moodle/htdocs
>> >>>
>> >>> This said, the following doesn't work:
>> >>>
>> >>> >> >>> $uploads_dir =/upload";
>> >>> $tmp_name =_FILES["file"]["tmp_name"];
>> >>> $name =_FILES["file"]["name"];
>> >>> move_uploaded_file($tmp_name, "$uploads_dir/$name");
>> >>> ?>
>> >>>
>> >>> The following does work:
>> >>>
>> >>> >> >>> $uploads_dir =../upload";
>> >>> $tmp_name =_FILES["file"]["tmp_name"];
>> >>> $name =_FILES["file"]["name"];
>> >>> move_uploaded_file($tmp_name, "$uploads_dir/$name");
>> >>> ?>
>> >>>
>> >>> I consider it as a documentation bug (in the sample code they use an
>> >>> absolute path).
>> >>> I indeed believe I *should* be able to use both of them if not
>> >>> documented otherwise.
>> >>> I will dig into the C implementation of the move_uploaded_file
>> >>> function and I'll check, though.
>> >>>
>> >>> Cheers,
>> >>>
>> >>> Roberto Aloi
>> >>> http://aloiroberto.wordpress.com
>> >>> Twitter: @prof3ta
>> >>>
>> >>>
>> >>>
>>
>>
>
> Then hundreds of apps that use PHP to deliver files outside of web
> root after a user has passed security validation would fail to work,
> and that is just to name one specific example, as it's something I've
> used on many sites. You'd lose access to a whole host of shell
> functionality, because often the programs people call from the shell
> are not in the PATH env variable for the user that Apache runs under
> (this is different from the include path that Apache or PHP itself
> has). In my opinion, chrooting PHP to the web root would cause major
> problems.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php