1

I'm developing a CMS in PHP as a learning exercise but have hit a brickwall called "open_basedir restriction" - I am trying to upload a small JPG file. I've tried to give as much info as concisely as possible but let me know if I forgot anything!

I can see it hit the c:/windows/temp/ folder every time so its only falling over when trying to perform the move_uploaded_file operation.

After much research I know what this is and in theory how to fix it having read a number of pages online such as:

http://forum.parallels.com/showthread.php?258036-Plesk-Windows-open_basedir-restriction-in-effect

My Code

$uiq = uniqid();
$image_folder = "/img/articles/original/";
$uploaded = false;

if(isset($_POST['upload_image'])){ 
    if($_FILES['userImage']['error'] == 0 ){
        $up = move_uploaded_file($_FILES['userImage']['tmp_name'],  $image_folder.$_FILES['userImage']['name']);
        if($up){
        $uploaded = true;   
        }
    }
}

My PHPINFO

My PhpInfo results show that the root of my web hosting space is in the list of allowed folders:

open_basedir: F:\PLESK\WWW\mydomain.com\httpdocs\

The Error

PHP Warning: move_uploaded_file(): open_basedir restriction in effect. File(/img/articles/original/test.jpg) is not within the allowed path(s): (F:\PLESK\WWW\mydomain.com\httpdocs) in F:\PLESK\WWW\mydomain.com\httpdocs\sparklyphp\cms\modules\articles\edit\photos\index.php on line 40

More Errors

If I change my path

$image_folder = "/img/articles/original/";

to

$image_folder = "img/articles/original/";

I get additional errors:

PHP Warning:  move_uploaded_file(): open_basedir restriction in effect. File(C:\Windows\Temp\php393F.tmp) is not within the allowed path(s): (F:\PLESK\WWW\mydomain.com\httpdocs\) in F:\PLESK\WWW\mydomain.com\httpdocs\sparklyphp\cms\modules\articles\edit\photos\index.php on line 40
PHP Warning:  move_uploaded_file(): open_basedir restriction in effect. File(C:\Windows\Temp\php393F.tmp) is not within the allowed path(s): (F:\PLESK\WWW\mydomain.com\httpdocs\) in F:\PLESK\WWW\mydomain.com\httpdocs\sparklyphp\cms\modules\articles\edit\photos\index.php on line 40
PHP Warning:  move_uploaded_file(C:\Windows\Temp\php393F.tmp): failed to open stream: Operation not permitted in F:\PLESK\WWW\mydomain.com\httpdocs\sparklyphp\cms\modules\articles\edit\photos\index.php on line 40
PHP Warning:  move_uploaded_file(): Unable to move 'C:\Windows\Temp\php393F.tmp' to 'img/articles/original/test.jpg' in F:\PLESK\WWW\mydomain.com\httpdocs\sparklyphp\cms\modules\articles\edit\photos\index.php on line 40

** Hosting Environment ** The website hosting environment a Windows 2008 R2 box with Plesk 11.5 (the latest version/update) running PHP 5.4.16 in FastCGI mode. I have full admin access to the entire server.

The most frustrating thing here is that the file is being uploaded to the temp folder, I just can't get it from there!

Any help would be much appreciated!

Bob

Mr Fett
  • 7,979
  • 5
  • 20
  • 21
  • Also - I have tried adding the c:\windows\temp\ folder to the allowed folders but it made no difference (and as the upload was working anyway, I figure this is unlikely to be the problem) – Mr Fett Aug 23 '13 at 13:13
  • Have you look at the answer to this question? http://stackoverflow.com/questions/1846882/open-basedir-restriction-in-effect-file-is-not-within-the-allowed-paths – iswinky Aug 23 '13 at 13:16
  • user2071225 - yes, unfortunately it requires being able to disable the open_basedir requirement for the server (which isn't possible in a shared hosting environment). The crux of the problem here is that there's a facility to 'whitelist' a folder but either its not working or I'm missing something in my code. – Mr Fett Aug 23 '13 at 13:42
  • I guess what I don't understand is the PHPINFO is showing the folder exception correctly but then I'm getting an error saying the folder I'm uploading to isn't within it. – Mr Fett Aug 23 '13 at 13:45

3 Answers3

1

I have NO IDEA why this worked. Ok so in the end I solved this by grabbing and storing the current working directory and switching the working directory to the root of the site:

$storeOriginalPath = getcwd();
chdir($_SERVER['DOCUMENT_ROOT']);

Performed the upload:

    $uiq = uniqid();
    $image_folder = "img/articles/original/";
    $uploaded = false;

    if(isset($_POST['upload_image'])){ 
            if($_FILES['userImage']['error'] == 0 ){
                $up = move_uploaded_file($_FILES['userImage']['tmp_name'], $image_folder.$_FILES['userImage']['name']);
                if($up){
                    $uploaded = true;   
                }
            }
    }

And switched back:

chdir($storeOriginalPath);

So I'm considering putting chdir($_SERVER['DOCUMENT_ROOT']); at start of all my PHP pages and having everything relative to the root (that's what I'm used to in ASP), is this common, ill-advised, smart, smelly or just plain stupid?

Mr Fett
  • 7,979
  • 5
  • 20
  • 21
  • 1
    +1 for fixing your own problem - see my answer to address "NO IDEA". Changing dir is quite eww - just use the constant in the path `$image_folder = $_SERVER['DOCUMENT_ROOT'] . '/img/...')`. Know that you should _not_ trust user submitted data - the `name` needs to be sanitized, or users can attempt to overwrite your application files or upload their own malicious content and execute it. – AD7six Aug 23 '13 at 14:31
  • if that's the way you get it working, fine, but it is very suboptimal and can easily cause issues. you should use full absolute paths, not relying on anything relative. – eis Aug 23 '13 at 16:23
  • Hi both - I tried using hard coded absolute paths as well (e.g. F:/Plesk/Websites/mydomain.com/httpdocs/img/articles/original) but still got the error above but will continue tinkering with it. Thanks again for your help! – Mr Fett Aug 24 '13 at 07:51
  • What do you think of my declaring "chdir($_SERVER['DOCUMENT_ROOT']);" at the start of all the CMS pages to allow them all to have the same start point (I'm finding hard coding relative paths for all the includes tedious, e.g. ../../../../../inc/header.asp) – Mr Fett Aug 24 '13 at 07:54
  • like I said, it can easily cause other issues in the long run. See my answer about fixing your configuration, which might fix it. – eis Aug 26 '13 at 06:37
1

This:

PHP Warning:  move_uploaded_file(): open_basedir restriction in effect.
File(C:\Windows\Temp\php393F.tmp) is not within the allowed path(s):
(F:\PLESK\WWW\mydomain.com\httpdocs\) in
F:\PLESK\WWW\mydomain.com\httpdocs\sparklyphp\cms\modules\articles\edit\photos\index.php on line 40

is basically saying even your temp folder is not allowed. AFAIK that would be clearly a misconfiguration and you should contact your hosting to fix it. Or, if you have full admin access like you say you have, just change the open_basedir restriction to something sane. This page looks to contain instrcutions on changing/removing open_basedir settings.

eis
  • 51,991
  • 13
  • 150
  • 199
0

The path is wrong

$image_folder = "/img/articles/original/";
...
$up = move_uploaded_file($_FILES['userImage']['tmp_name'],  $image_folder...

The above code is going to try to move a file to an absolute location /img/... on a windows system, I assume that'll be interpreted to mean e.g. F:\img\...

Plesk, by default, only permits a php application to write to the document root of the domain, or the tmp folder - therefore probably what you require is to change the destination folder path:

 // edit this and make sure this points somewhere writable
$image_folder = "./img/articles/original/";

To write to a folder under the document root.

Community
  • 1
  • 1
AD7six
  • 63,116
  • 12
  • 91
  • 123
  • AD7six - Thanks for chiming in! I've tried "/img/articles/original/", "./img/articles/original/" and "img/articles/original/" and all give similar errors (the latter two giving the additional ones detailed above). – Mr Fett Aug 23 '13 at 14:30
  • They'll give a different error because the path doesn't exist (but is writable as it's under httpdocs). – AD7six Aug 23 '13 at 14:32