1

recently, I have deployed a web server configuration with Apache, PHP-FPM, and MariaDB. it was running smoothly until my colleague deployed laravel 4 app on it with image uploading capability.

The problem was I have disabled PHP's chmod() function along with system() etc functions, while the script for uploading images uses chmod() and umask() (my colleague said that this is the default behavior).

I know that there is a debate over the danger of chmod wih PHP like this site that tells it is harmless, and this post that tells that a server should never be 777

what I don't understand is, why do you need to chmod() something when the PHP process can read the uploaded file properly even without chmod()? it can even create folders and delete folders without chmod() as those files and folders are created with the correct permission for PHP process.

tl;dr
so that brings to my question, is it true that file uploading in laravel 4 need chmod() to function properly? and why?

edit
for those who like to know the code (this code is found in vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/File/UploadedFile.php):

$target = $this->getTargetFile($directory, $name);

if (!@move_uploaded_file($this->getPathname(), $target)) {
    $error = error_get_last();
    throw new FileException(sprintf('Could not move file "%s" to "%s" (%S)', $this->getPathname(), $target, strip_tags($error['message'])));
}

@chmod($target, 0666 & ~umask());
Community
  • 1
  • 1
am05mhz
  • 2,727
  • 2
  • 23
  • 37
  • Can you show some code so we know what function in Laravel you are talking about specifically. – Devon Bessemer Oct 16 '16 at 19:52
  • @Devon well yes, I'll make the edit right now – am05mhz Oct 16 '16 at 19:54
  • If you read the post you linked to, the edit clarifies that chmod itself isn't dangerous unless they also have the ability to execute an uploaded script through something like `system()` or `exec()`. – Devon Bessemer Oct 16 '16 at 19:55
  • @Devon what i want to know is not whether it is safe or not, I just like to now why the extra effort? – am05mhz Oct 16 '16 at 20:03
  • You'd need to ask the Laravel dev specifically for that info, but I added my assumption. I think most would agree chmod is harmless. If you're that concerned about a rogue script changing permissions of files, you'd probably be best going another route. If you want to keep chmod disabled, extend this class and override this function. – Devon Bessemer Oct 16 '16 at 20:14

1 Answers1

0

I can't speak for the Laravel's reasoning behind this. It does looks like it is built into their functionality, but a quick search on this brought up comments under http://php.net/manual/en/function.move-uploaded-file.php.

The comments suggest that after moving uploaded files with move_uploaded_file, the permission is set to 0600. This would be fine if the web server and PHP process were running under the same desired user, but not if it relied on the group or a web server running under a generic user like apache or nobody. So my assumption would be Laravel did this for compatibility with the latter systems as 0600 means rw for the user and no access to the group or others.

Devon Bessemer
  • 34,461
  • 9
  • 69
  • 95
  • hmm, that is quite strange indeed, as it was not mentioned in the doc, but users reported it, may be it was a bug. I'll play on it and decide what to do, thanks a bunch. – am05mhz Oct 16 '16 at 20:17