On Sat, 2009-12-12 at 09:42 -0500, Carl Furst wrote: > It's also a security flaw... php should be chrooted to the webroot! Or > it should be chrooted to the users home directory. Especially on windows > systems where security is not so strict. > > My 2 cents, > Carl. > > Roberto wrote: > > Hi Joseph, > > > > I'm perfectly fine with the concepts of absolute/relative path and > > webroot, trust me. > > For me it was just unclear from the documentation the fact that the > > "target path" in the move_uploaded_file function was "absolute" with > > respect to the file system and not to the "webroot". > > At the beginning I thought the function itself was taking care about > > adding the server root on its own to that path. > > Thinking carefully, it makes perfectly sense for the function to > > behave the way it actually does, since otherwise it would be > > impossible to get these files out of the server root in file system > > terms. > > Just, this should be written in CAPITAL LETTERS in the documentation. > > Thanks for the interest, > > > > Roberto Aloi > > http://aloiroberto.wordpress.com > > Twitter: @prof3ta > > > > > >> When used in PHP, an absolute path does not go off the web root. In Premise > >> 3 below, an absolute path of "/upload" will NOT bring up the directory > >> "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/upload" > >> In Windows terms, an absolute path would be "C:\upload" versus > >> "C:\home\prof3ta\projects\moodle\htdocs\upload". The only time an absolute > >> path is figured relative to the web root is when it is referenced in a > >> browser. At this point, for all intents and purposes, it locates the file > >> based on the web root. This is a fundamental difference between absolute > >> and relative paths. > >> > >> Absolute: begins at "/" in Linux operating systems and "C:\" in Windows OS > >> Relative: begins wherever the running script is located in the file system. > >> > >> Joseph > >> > >> Roberto wrote: > >> > >>> HI, > >>> > >>> Premise 1: > >>> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool" > >>> > >>> Premise 2: > >>> I have an "upload" folder with 777 permissions under: > >>> /home/prof3ta/projects/moodle/htdocs/upload > >>> > >>> Premise 3: > >>> The server root is obviously htdocs: > >>> /home/prof3ta/projects/moodle/htdocs > >>> > >>> This said, the following doesn't work: > >>> > >>> <?php > >>> $uploads_dir =/upload"; > >>> $tmp_name =_FILES["file"]["tmp_name"]; > >>> $name =_FILES["file"]["name"]; > >>> move_uploaded_file($tmp_name, "$uploads_dir/$name"); > >>> ?> > >>> > >>> The following does work: > >>> > >>> <?php > >>> $uploads_dir =../upload"; > >>> $tmp_name =_FILES["file"]["tmp_name"]; > >>> $name =_FILES["file"]["name"]; > >>> move_uploaded_file($tmp_name, "$uploads_dir/$name"); > >>> ?> > >>> > >>> I consider it as a documentation bug (in the sample code they use an > >>> absolute path). > >>> I indeed believe I *should* be able to use both of them if not > >>> documented otherwise. > >>> I will dig into the C implementation of the move_uploaded_file > >>> function and I'll check, though. > >>> > >>> Cheers, > >>> > >>> Roberto Aloi > >>> http://aloiroberto.wordpress.com > >>> Twitter: @prof3ta > >>> > >>> > >>> > Then hundreds of apps that use PHP to deliver files outside of web root after a user has passed security validation would fail to work, and that is just to name one specific example, as it's something I've used on many sites. You'd lose access to a whole host of shell functionality, because often the programs people call from the shell are not in the PATH env variable for the user that Apache runs under (this is different from the include path that Apache or PHP itself has). In my opinion, chrooting PHP to the web root would cause major problems. Thanks, Ash http://www.ashleysheridan.co.uk
