PHP :: Bug #55576 :: Race condition in move_uploaded_file()
| Bug #55576 | Race condition in move_uploaded_file() | ||||
|---|---|---|---|---|---|
| Submitted: | 2011-09-03 11:34 UTC | Modified: | 2011-09-04 23:01 UTC | ||
| From: | cjk at wwwtech dot de | Assigned: | cataphract (profile) | ||
| Status: | Closed | Package: | Filesystem function related | ||
| PHP Version: | 5.3.8 | OS: | All | ||
| Private report: | No | CVE-ID: | None | ||
[2011-09-03 11:34 UTC] cjk at wwwtech dot de
Description: ------------ There is a race condition in the move_uploaded_file() function: if you don't want to overwrite a file, the standard mechanism is: $fd = fopen($file,"x"); fclose($fd); move_uploaded_file($uploaded_file,$file); But since move_uploaded_file() unlink()s a file first, there may be a race condition: file gets created exclusively via fopen(…,"x"), move_uploaded_file() removes the same file and the process gets suspended. Another process creates the file via fopen(…,"x"), voila, race condition. Expected result: ---------------- We need a concurrency save implementation of move_uploaded_file(). This can be achieved by implementing a third parameter, boolean $dont_overwrite. When set to true, move_uploaded_file() will ensure that the file does not exist by using open(…,O_RDWR|O_CREAT|O_EXCL) and returning false in error case. The patch I attached does exactly this. Actual result: -------------- When two concurrent processes, they may overwrite the same file twice w/o the possibility to prevent it.
Patches
php-move-upladed-files-race-condition.patch (last revision 2011-09-03 11:35 UTC by cjk at wwwtech dot de)Pull Requests
History
AllCommentsChangesGit/SVN commits
[2011-09-03 18:16 UTC] cataphract@php.net
[2011-09-04 10:57 UTC] cjk at wwwtech dot de
[2011-09-04 23:01 UTC] cataphract@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cataphract
[2011-09-04 23:01 UTC] cataphract@php.net