move_uploaded_file : permission denied 1

[PeDa]

I (and my fellow committe members) have full FTP-access to our website (hosted by a commercial provider). However, if we try to upload a file using the following procedure:

$targetDir="/XXX/customers/XXXXXX/XXXXXXXXX.nl/phptest/pictures/activiteiten/";
if (!empty($_FILES["image"]["tmp_name"]))
	{
	$targetFile = $targetDir . basename($_FILES["image"]["name"]);
	$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
	$check = getimagesize($_FILES["image"]["tmp_name"]);
	if($check !== false)
		{
		$uploadOk = 1;
		} 
	else 
		{
		$uploadOk = 0; //not an image
		}
	if ($_FILES["image"]["size"] > 500000) 
		{
		$uploadOk = 0; //image too large
		}
	if ($uploadOk == 0) 
		{
		echo "Sorry, image is too big!";
		}
	else 
		{
		// if everything is ok, try to upload file
		if (move_uploaded_file($_FILES["image"]["tmp_name"], $targetFile)) //this is line 373
			{
			echo "Image ". htmlspecialchars(basename( $_FILES["image"]["name"])). " has been uploaded.";
			} 
		else 
			{
			echo "Sorry, uploading failed!";
			}
		}
	}

we get the following error messages:

Warning: move_uploaded_file(/XXX/customers/XXXXXX/XXXXXXXXX.nl/phptest/pictures/activiteiten/aanmelden.jpg): failed to open stream: Permission denied in /XXX/CUSTOMERS/XXXXXX/XXXXXXXXX.nl/phptest/admin/activiteit.php on line 373

Warning: move_uploaded_file(): Unable to move '/tmp/php8aLh31' to '/XXX/customers/XXXXXX/XXXXXXXXX.nl/phptest/pictures/activiteiten/aanmelden.jpg' in /XXX/customers/XXXXXX/XXXXXXXXX.nl/phptest/admin/activiteit.php on line 373

We obviously need more permission - but how?

 

[feherke]

Hi

Some generic thoughts :
[ul]
[li]Was the upload successful ? I mean, is [tt][navy]$_FILES[/navy][teal][[/teal][green]"image"[/green][teal]][[/teal][green]"error"[/green][teal]] ==[/teal] UPLOAD_ERR_OK[/tt] ? There are errors on which [tt]$_FILES[/tt] will still be populated.[/li]
[li]What you get for [tt]is_uploaded_file[teal]([/teal][navy]$_FILES[/navy][teal][[/teal][green]"image"[/green][teal]][[/teal][green]"tmp_name"[/green][teal]])[/teal][/tt] ?[/li]
[li]What you get for [tt]file_exists[teal]([/teal][navy]$targetDir[/navy][teal])[/teal][/tt], [tt]is_dir[teal]([/teal][navy]$targetDir[/navy][teal])[/teal][/tt] and [tt]is_writable[teal]([/teal][navy]$targetDir[/navy][teal])[/teal][/tt] ?[/li]
[li]Can you move it to other directory, for example /XXX/customers/XXXXXX/XXXXXXXXX.nl/phptest/pictures/ ?[/li]
[/ul]

Feherke.
feherke.github.io

 

[PeDa]

Thank you for these suggestions: I get the following results (which all look ok?):

$_FILES["image"]["error"]== UPLOAD_ERR_OK:1
is_uploaded_file($_FILES["image"]["tmp_name"]):1
file_exists($targetDir):1
is_dir($targetDir):1

Moving to ...X.nl/phptest/pictures/ or ...X.nl/phptest/ (the root directory) does not help.

HOWEVER: using the same script I can upload to my own site (at a different commercial provider)!

 

[feherke]

Hi

I assume the last one, [tt]is_writable[teal]([/teal][navy]$targetDir[/navy][teal])[/teal][/tt], was also true.

One thing I would try anyway. What if you leave the upload part out and just create a file with [tt]file_put_contents[teal]([/teal][navy]$targetDir[/navy] [teal].[/teal] [green]'test.txt'[/green][teal],[/teal] [green]'Test Content'[/green][teal])[/teal][/tt] ? Additionally you can try this file creation from another PHP file too.


Feherke.
feherke.github.io

 

[PeDa]

Oh dear!; I missed that one, and is_writable($targetDir) is FALSE.

file_put_contents($targetDir . 'test.txt', 'Test Content') also doesn't work (also with sundry other target directories), giving another "...failed to open stream: Permission denied..." message.

On my own website is_writable($targetDir) is TRUE and file_put_contents works.

I tried playing with the 'Unix file flags' (which are set to 750 on both websites) but temporarily setting everything open (777) made no difference.

 

[feherke]

Hi

which are set to 750 on both websites

Well, that means only the owner can write there. So if the owner of $targetDir differs on those websites, then may be writable in on place and not writable in the other.
( Beside file modes there may be file attributes too, but unfortunately I never had anything to do with them, so never learned them. Hopefully not involved here either. )

How was that activiteiten/ directory created ? Probably "manually" using [tt]mkdir[/tt] over FTP, or something similar. I would try one more thing : delete that directory. Then in your PHP script add [tt]mkdir[teal]([/teal][navy]$targetDir[/navy][teal],[/teal] [purple]0777[/purple][teal])[/teal][/tt] somewhere before the [tt]move_uploaded_file()[/tt] call.


Feherke.
feherke.github.io

 

[PeDa]

Nice suggestion, but unfortunately mkdir() also gets Permission denied. I fear I cannnot solve my problem myself, but will have to approach the Provider to change permisions for the relevant folder.

 

[PeDa]

Solution was to set chmod 4770 in ftp application (4=Set UID bit - Run the file as the owner regardless of which user is running it)