verot.net

You can't change the source directory (/data/temp/). This directory is the temp directory for PHP, you can't control its location (I mean in a shared hosting situation).

I don't know why it doesn't work. Can you post a link to the PHPinfo() on your server? Are you in a chroot environment?Reply

He can write a one line php file that will display the phpinfo like:

As for the chroot environment, dunno what he's talking about as there's not something like that for PHP, so the answer would be no.

He may be thinking about safe mode though, as you know, php 4 is using safe mode, but php5 does not.

They could also be asking about open_base_dir which is common for upload gadgets, they need to use move_uploaded_file() instead of trying to read the temp directory directly. This is common for older scripts.

What error is he getting?Reply

Sometimes, PHP (Apache) can be installed in a chroot environment. Safe mode can also be used.

You're right about the open_base_dir although in any good setup, open_base_dir will actually include /tmp. If it is an open_base_dir issue, then there is a bit of code in the class that can be uncommented to use move_uploaded_file()Reply

I uncommented the move_uploaded_file code and still got exactly the same result.

Here's a link to PHPinfo(): http://www.alphaselect.ca/locations/phpi.php

If you have any more suggestions that would be awesome.

Thanks,

TomReply

Try to comment the following lines:

$this->log .= '- ' . _("no image processing wanted") . '
';

if (!$this->no_upload_check) {
    $result = is_uploaded_file($this->file_src_pathname);
} else {
    $result = TRUE;
}
if ($result) {
    $result = file_exists($this->file_src_pathname);
    if ($result) {
        $result = copy($this->file_src_pathname, $this->file_dst_pathname);
        if (!$result) {
            $this->processed = false;
            $this->error = _("Error copying file on the server. Copy failed");
        }
    } else {
        $this->processed = false;
        $this->error = _("Error copying file on the server. Missing source file");
    }
} else {
    $this->processed = false;
    $this->error = _("Error copying file on the server. Incorrect source file");
}

and uncomment the following:

//$result = move_uploaded_file($this->file_src_pathname, $this->file_dst_pathname);
//if (!$result) {
//    $this->processed = false;
//    $this->error = _("Error copying file on the server");
//}

Then try uploading a file which is not an image (or an image, but with no image processing), and tell me if it works.Reply

Sorry, Colin, I still get the same result:

file not uploaded to the wanted location
Error: No source file. Can't carry on a process

source is an uploaded file
- upload OK
- file name OK
- source variables
    file_src_name         : dondale_benjamin.pdf
    file_src_name_body    : dondale_benjamin
    file_src_name_ext     : pdf
    file_src_pathname     : /data/temp/phpvYxNaw
    file_src_mime         : application/pdf
    file_src_size         : 64278 (max= 134217728)
    file_src_error        : 0
process file to /data/in/b/beverley/www/select/locations/test/
- file size OK
- file mime OK : application/pdf
- file name safe format
- destination variables
    file_dst_path         : /data/in/b/beverley/www/select/locations/test/
    file_dst_name_body    : dondale_benjamin
    file_dst_name_ext     : pdf
- image operation, keep extension
- checking for auto_rename
- destination file details
    file_dst_name         : dondale_benjamin.pdf
    file_dst_pathname     : /data/in/b/beverley/www/select/locations/test/dondale_benjamin.pdf
- dondale_benjamin.pdf doesn't exist already

My ISP technical support replied with the following:
"I would have to see the source code to be sure of course but from your description it sounds like are not following the correct procedure for dealing with uploaded files".

"The key thing to keep in mind that is that you need to move the upload to a local directory in your account (which you have given the web server "rwx" access to) first before manipulating it. You cannot directly access files outside of your account which is why the function "move_uploaded_file" exists".

"This issue is actually handled quite well in the official PHP documentation ..."

I'd appreciate any help you can offer.

Thanks,

TomReply

What your hosting company says is right, however you can still read the file from the temp directory, or so I believe. I understand the problem that you have, but I never experienced it. I heard that the same behaviour occurs in a chroot situation.

The code which makes problem is the following:

if ($this->processed && !file_exists($this->file_src_pathname)) {
  $this->processed = false;
  $this->error = _("No source file. Can't carry on a process");
}

As far as I know, that code should be OK, since you should be able to have PHP to check if the file exists, before you copy it (even with move_uploaded_file()). I will do some checks tonight if I get a bit of time.

Otherwise, the solution would be to modify the class so that the uplaoded file is first copied in a temporary directory on which you have full access. I meant to do that for the chroot people anyway, but it's a fairly big change, and also you need to set up a temp directory. This is annoying since most problem will not actually need it.

I will see, and get back to you.Reply

Hi Colin,

This is what my ISP suggests:

"PHP includes a function specifically to do what is described above and which works with "open_basedir" restrictions (that is partially why it
was created in the first place):
http://ca.php.net/manual/en/function.is-uploaded-file.php

Code should never be working out of the global temp directory since that would be a security issue (i.e. if you can access it directly, so can other
customers). It is the same concept as why user code should not have direct access to the global session directory.

So the upload class needs to use "is_uploaded_file()" and "move_uploaded_file()" for sanity checking and moving the upload to a local directory respectively. Any actual manipulation of the file definitely needs to happen locally in your account.

Here is what the uplaod class should be doing for its file test (assuming that "file_src_pathname" has been taken from the $_FILES array value for "tmp_name"):

if ($this->processed && !is_uploaded_file($this->file_src_pathname)) {
  $this->processed = false;
  $this->error = _("No source file. Can't carry on a process");
}

"file_exists()" can only access files which are within the "open_basedir" setting.

So I did that and tried another PDF upload, and I now get a different error:

file not uploaded to the wanted location
Error: Source file is not readable. Can't carry on a process

source is an uploaded file
- upload OK
- file name OK
- source variables
    file_src_name         : emrys_cv_jan2004.pdf
    file_src_name_body    : emrys_cv_jan2004
    file_src_name_ext     : pdf
    file_src_pathname     : /data/temp/phpG22U2X
    file_src_mime         : application/pdf
    file_src_size         : 1490859 (max= 134217728)
    file_src_error        : 0
process file to /data/in/b/beverley/www/select/locations/test/
- file size OK
- file mime OK : application/pdf
- file name safe format
- destination variables
    file_dst_path         : /data/in/b/beverley/www/select/locations/test/
    file_dst_name_body    : emrys_cv_jan2004
    file_dst_name_ext     : pdf
- image operation, keep extension
- checking for auto_rename
- destination file details
    file_dst_name         : emrys_cv_jan2004.pdf
    file_dst_pathname     : /data/in/b/beverley/www/select/locations/test/emrys_cv_jan2004.pdf
- emrys_cv_jan2004.pdf doesn't exist already

Maybe that will help isolate the problem.

TomReply

Yes, yes, your ISP is totally right. However, the class still works with open_basedir since I have it enabled on one of my servers, and I can still upload and manipulate images; there must be a catch somewhere.

Regardless, I will modify the class so that it strictly only uses the two PHP functions is_uploaded_file() and move_uploaded_file() to retrieve the file. It is a bit annoying since we need a temp directory, to copy the image before we can manipulate it, etc... but I will not make it compulsory, so you can switch to the new behaviour only if the original behaviour does not work.

This said, I can't work on it right now, I am very busy. I wish I could provide you with a quick fix, but unfortunately it requires substantial changes.
Since the class is maintained on my free time, I can't prioritize it very high... Still, you might want to sponsor this change, which then would convince me to do it quickly ;)Reply

Thanks, Colin, I've made a donation.

TomReply

Donation received, and much appreciated. I will be working on a new version, and attempt to fix the open_basedir problem for you.Reply

Wonderful, thank you.Reply

Did you receive my email I sent on your email address you left in the forum?Reply

Hi Colin,

Yes I did. I tested the beta 0.22 version you sent me and I did reply to the email you had sent. The 0.22 modification worked for uploading a JPEG but failed on a PDF.

TomReply

Hem, I didn't receive your email, it might have been lost in my spam filters....

I will investigate the issue next week, and fix that up. Thanks for the feedback.Reply

Hi Colin,

Thanks - here's the log transcript, As it shows I successfully uploaded a JPEG image file (I didn't try any processing), but when I tried a PDF I got an error and ended up with a 0 k file in the target folder.

Tom

file not uploaded to the wanted location
Error: Can't read image source. not an image?

source is an uploaded file
- upload OK
- file name OK
- source variables
    file_src_name         : alpha select scrubby.pdf
    file_src_name_body    : alpha select scrubby
    file_src_name_ext     : pdf
    file_src_pathname     : /data/temp/phpZu6PM0
    file_src_mime         : application/pdf
    file_src_size         : 186287 (max= 134217728)
    file_src_error        : 0
process file to /data/in/b/beverley/www/select/locations/test/
- file size OK
- file mime OK : application/pdf
- file name safe format
- destination variables
    file_dst_path         : /data/in/b/beverley/www/select/locations/test/
    file_dst_name_body    : alpha_select_scrubby
    file_dst_name_ext     : pdf
- image operation, keep extension
- checking for auto_rename
- destination file details
    file_dst_name         : alpha_select_scrubby.pdf
    file_dst_pathname     : /data/in/b/beverley/www/select/locations/test/alpha_select_scrubby.pdf
- alpha_select_scrubby.pdf doesn't exist already
- can't directly access the uploaded file
    attempting creating a temp file: file created
    temp file is: /data/in/b/beverley/www/select/locations/test/44e6be310d3f9987e914c203a6aced57.pdf
- image resizing or conversion wanted
- deletes temporary file

Reply

What is your code (as in class parameters)? It seems that you attempt to do some image manipulation (image resizing or conversion wanted) on the PDF, but it fails since it is not an image.Reply

Right - my upload form has <input name="action" type="hidden" value="image" />. I guess I need to put "multiple" in to allow for uploading of images or PDFs, or separate the user input into one form for images (which is the most likely upload) and another for PDF documents. I'll test that out and let you know the results.

Thanks,

TomReply

Yes, you'd better have two different fields, one for pictures, with which you can do image manipulations, and one for PDF files.Reply