I'm trying to asynchronously upload a file to a PHP website.
The PHP code reponsible for the upload is:
ini_set ('error_reporting', E_ALL);
ini_set ('display_errors', 1);
ini_set ('display_startup_errors', 1);
echo 'username = ' . `whoami`."\n";
var_dump($_FILES);
$str_name = $_FILES['file']['name'];
echo '$str_name = '.$str_name."\n";
$str_tmp = $_FILES['file']['tmp_name'];
echo '$str_tmp = '.$str_tmp."\n";
$str_tmpdir = substr($_FILES['file']['tmp_name'], 0, strrpos($_FILES['file']['tmp_name'], '/'));
echo '$str_tmpdir = '.$str_tmpdir."\n\n";
echo 'is_dir($str_tmpdir) = '.(is_dir($str_tmpdir) ? 'true' : 'false')."\n\n";
echo 'is_writable($str_tmp) = '.(is_writable($str_tmp) ? 'true' : 'false')."\n\n";
echo 'ini_get("file_uploads") = '.ini_get('file_uploads')."\n\n";
$location = "/Library/WebServer/Documents/pjamesnorris/img/".$str_name;
echo "\n".'move_uploaded_file("'.$_FILES['file']['tmp_name'].'", "'.$location.'")) = '.(move_uploaded_file($_FILES['file']['tmp_name'], $location) ? 'Success' : 'Failure');
and returns the following output:
username = _www
array(1) {
["file"]=>
array(6) {
["name"]=>
string(17) "DantesInferno.jpg"
["full_path"]=>
string(17) "DantesInferno.jpg"
["type"]=>
string(10) "image/jpeg"
["tmp_name"]=>
string(67) "/Library/WebServer/Documents/pjamesnorris/tmp_file_upload/phpRDWjOh"
["error"]=>
int(0)
["size"]=>
int(217602)
}
}
$str_name = DantesInferno.jpg
$str_tmp = /Library/WebServer/Documents/pjamesnorris/tmp_file_upload/phpRDWjOh
$str_tmpdir = /Library/WebServer/Documents/pjamesnorris/tmp_file_upload
is_dir($str_tmpdir) = true
is_writable($str_tmp) = true
ini_get("file_uploads") = 1
<br />
<b>Warning</b>: move_uploaded_file(/Library/WebServer/Documents/pjamesnorris/img/DantesInferno.jpg): Failed to open stream: Permission denied in <b>/Library/WebServer/Documents/pjamesnorris/php/upload.php</b> on line <b>28</b><br />
<br />
<b>Warning</b>: move_uploaded_file(): Unable to move "/Library/WebServer/Documents/pjamesnorris/tmp_file_upload/phpRDWjOh" to "/Library/WebServer/Documents/pjamesnorris/img/DantesInferno.jpg" in <b>/Library/WebServer/Documents/pjamesnorris/php/upload.php</b> on line <b>28</b><br />
move_uploaded_file("/Library/WebServer/Documents/pjamesnorris/tmp_file_upload/phpRDWjOh", "/Library/WebServer/Documents/pjamesnorris/img/DantesInferno.jpg")) = Failure
This PHP is called by the following javascript:
async function uploadFile()
{
let formData = new FormData();
formData.append("file", fileupload.files[0]);
await fetch('../php/upload.php',
{
method: "POST",
body: formData
});
alert('The file has been uploaded successfully.');
}
The output above tells me that /Library/WebServer/Documents/pjamesnorris/tmp_file_upload is writable, and its owner and permissions are:
drwxrwxr-x 2 _www wheel 64 Jun 10 10:35 tmp_file_upload/
Other people seem to have corrected by setting the directory permissions to 0777 but seems like I would be opening myself to security issues, and I've tried it and it had no effect.
I'm at an utter loss as to what the problem is/might be and any help would be appreciated!
CodePudding user response:
The owner of the destination folder, /Library/WebServer/Documents/pjamesnorris/img/ has to be _www as well!
CodePudding user response:
Your directory /Library/WebServer/Documents/pjamesnorris/tmp_file_upload has the permissions: drwxrwxr-x 2 _www wheel 64 Jun 10 10:35 tmp_file_upload/
The d represents a directory. The first rwx tells us that _www can read, write and search the directory. The second rwx tells you anyone in the wheel group can read, write and search the directory. The final r-x tells you that anyone else can only read or search.
The reason 0777 would fix is it would allow anyone to write. What you need to find is why your software is not run under the user _www and not ran by a user in the wheel group.