php question

David P. Schwartz davids@desertigloo.com
Tue, 16 Jan 2001 00:28:49 -0700 

See below...

Joshua Eichorn wrote:

> The php upload directory is set by the php3.ini file.  This file is
> located /usr/local/bin/php/ and is setup by the administator of the
> webserver.
> The upload directory can't be changed in the script because its a
> security risk.
>
> Unless your system is setup wierd nobody should be able to write to
> /var/tmp.

Do you mean that userid "nobody" should be able to write to /var/tmp, or that no-body can write to it?

> http://www.php.net/manual/en/features.file-upload.php
> Read through the above url to see howto handle file uploads using forms.
> If your still having problems give me an email and i can write you an
> example script.
> -joshua eichorn

I looked at the page.  Here's the code I used:

================================================
if ($REQUEST_METHOD == "POST")
{
   $form = $HTTP_POST_VARS;

   // the following lines, down to the assignment to REQUEST_METHOD, are taken directly from the referenced web page.  I changed the variable
names where needed.

   // Userland test for uploaded file.
   function is_uploaded_file($filename) {
     if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
       $tmp_file = dirname(tempnam('', ''));
     }
     $tmp_file .= '/' . basename($filename);
     /* User might have trailing slash in php.ini... */
     return (ereg_replace('/+', '/', $tmp_file) == $filename);
   }

   if (is_uploaded_file($reply_file)) {
     copy($reply_file, "replies");
     echo "Got it!";
   } else
     echo "Possible file upload attack: filename '$reply_file'.";
. . .
    $REQUEST_METHOD = "GET";
}

if ($REQUEST_METHOD == "POST")
{
. . .
   $foot .= "<FORM METHOD=POST ACTION=\"$PHP_SELF?$QUERY_STRING\" ENCTYPE=\"multipart/form-data\">";
   $foot .= "<TABLE ALIGN=CENTER BORDER=1>\n";
   $foot .= "  <TR ALIGN=CENTER>\n";
   $foot .= "    <INPUT TYPE=\"hidden\" NAME=\"MAX_FILE_SIZE\" VALUE=\"2097152\">\n";
   $foot .= "    <TD>Include this file: <INPUT TYPE=\"file\" NAME=\"reply_file\" SIZE=\"40\"></TD>";
. . . lots of stuff skipped, but the table and form logic works fine . . .
   echo $foot;
}
================================================

When the script is run, a file name is selected and entered, and then the SUBMIT button is clicked, what the POST code above displays is:

     Possible file upload attack: filename '..tempfile.name..'.

It's just gone!

-David