[drupal-devel] [bug] Error with file api and open_basedir restriction

Fri Feb 18 01:55:23 UTC 2005

 Project:      Drupal
 Version:      cvs
 Component:    node system
 Category:     bug reports
 Priority:     normal
 Assigned to:  Jose A Reyero
 Reported by:  Jose A Reyero
 Updated by:   clydefrog
 Status:       patch

This functionality gets a +1 from me, the user. We solved this problem
by changing upload_tmp_dir in the server config, but a fix in Drupal
would be more elegant.

clydefrog

Previous comments:
------------------------------------------------------------------------

February 20, 2004 - 11:45 : Jose A Reyero

Attachment: http://drupal.org/files/issues/file-open-basedir.patch (1018 bytes)

I get this error when uploading a file through the file api, and the
upload fails:
warning: open_basedir restriction in effect. File is in wrong directory
in...
This happens when open_basedir restriction is activated and the
temporary directory is not in the allowed directories. There's a
related bug in the profile.module: http://drupal.org/node/view/2648 [1]
FIX:
The solution is to upload files using php's 'move_uploaded_file' -which
works even when open_basedir restriction is in effect.
This patch checks for the error conditions in
'file.inc::file_check_upload', and then uses move_uploaded_file to
upload the file to the temporary folder with a random name. Otherwise
-if the error conditions are not met-, does nothing.
RESTRICTIONS:
This patch introduces one additional restriction for the file api: Once
you have called 'file_check_upload', you have to use the returned object
when calling later 'file.api::file_save_upload'.
This shouldn't be a problem, as the right way to upload files should be
-I think, please correct me if I'm wrong-:
- $file=file_check_upload();
- (Perform validations with $file)
- file_save_upload($file,.....)
I will post also a very simple patch for profile.module to work with
this one. 
Anyway, as mentioned above, if the error conditions are not met, the
patch does nothing, so I think it should be applied first and then
check for other modules (profile.module) to use the file api the right
way and then be able to upload files when open_basedir restriction in
effect.
[1] http://drupal.org/node/view/2648

------------------------------------------------------------------------

November 28, 2004 - 09:38 : Goba

This seems to be an interesting alternate fix to my dump patch for
locale.module [2], which is the very same issue... Moving the file out
of the upload folder right away to the Drupal temp folder seems to be a
good idea to me. The only caveat is that files in the upload folder get
removed automatically, while one needs to remove the file from the
Drupal temp folder, once it is not needed anymore!
[2] http://drupal.org/node/13285

------------------------------------------------------------------------

December 8, 2004 - 11:26 : Goba

Please look at this stuff. We need to solve open_basedir problems at
least in core before the next point release. There are quite a few
users trying to use Drupal on shared hosting here, where open_basedir
is in effect.

-- 
View: http://drupal.org/node/5961
Edit: http://drupal.org/project/comments/add/5961