Opened 5 years ago
Closed 5 years ago
#1484692 closed Bugs (invalid)
Upload does not respect php_admin_value
| Reported by: | robert.penz | Owned by: | |
|---|---|---|---|
| Priority: | 5 | Milestone: | |
| Component: | Core functionality | Version: | 0.1-rc2 |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I've defined
php_admin_value open_basedir /var/www/mail.xxxx.xxx:/usr/share/php:/var/php/mail.xxxx.xxx/tmp
php_admin_value upload_tmp_dir /var/php/mail.xxxx.xxx/tmp
php_admin_value session.save_path /var/php/mail.xxxx.xxx/session
in my vhost config.
but roundcube keeps trying uploading to /tmp/ and I get following error
PHP Warning: move_uploaded_file() [<a href='function.move-uploaded-file'>function.move-uploaded-file</a>]: open_basedir restriction in effect. File(/tmp/rcmAttmntTURSFz) is not within the allowed path(s): (/var/www/mail.xxxx.xxx:/usr/share/php:/var/php/mail.xxxx.xxx/tmp) in /var/www/mail.xxxx.xxx/program/steps/mail/upload.inc on line 42
as a work around i've added /tmp to the basedirs, but thats a security risk.
Change History (1)
comment:1 Changed 5 years ago by thomasb
- Resolution set to invalid
- Status changed from new to closed
RoundCube uses tempnam() and move_uploaded_file() to store the uploaded file. According to the PHP manual...
"If the directory does not exist, tempnam() may generate a file in the system's temporary directory, and return the name of that."
...I assume that the configured (in RoundCube config) temp dir is not writable for PHP and tempnam() therefore returns a path that it located in /tmp/
This is not a bug but a configuration problem.