tags:

views:

1280

answers:

5
+3  Q: 

PHP temp file names for uploads colliding

When a user uploads a file, randomly it gets replaced by another user's upload, I've finally tracked down the issue to PHP and the tmp file name being reused. Is there a way to fix this? Is there a way to make better random names? It seems to degrade over time, as in the random file name seed gets weaker? This is on PHP 5.2.8 and FreeBSD 7.0

Here is a log showing how the same tmp file name gets used and is overwritten by another upload: http://pastebin.com/m65790440

Any help is GREATLY appreciated. I've been trying to fix this for over 4 months and has gotten worse over time. Thank you.

EDIT: Keep in mind that this is not a PHP code issue, this is happening before it reaches any PHP code, the file received via $_FILES['name']['tmp_name'] is incorrect when it is received and its been traced back that it is being overwritten with someone else's upload before it reaches the upload processing script

A: 

I would recommend using a GUID generator for the filename seeing that you are getting so many.

webclimber  2009-03-10 19:25:57
Is there a way to override how PHP names file uploads coming in? as of right now php uses a 'phpxxxxx' schema
noaheverett  2009-03-10 19:27:35
+1  A: 

Is PHP running under apache, as mod_php?

You may try to create a per-process temporary upload directory whose name contains your php getmypid(), then ini_set your PHP process' upload_tmp_dir to that directory. This will not work if a new php process is spawned for every request.

vladr  2009-03-10 19:28:10
Is there a way to override how PHP names file uploads coming in?
noaheverett  2009-03-10 19:29:31
no, but you may be able to override (at runtime) the temporary directory where temporary files are dumped
vladr  2009-03-10 19:43:43
A: 

Move your files to a user dir after they have been uploaded. Those temp files should be removed.

Andrew Clark  2009-03-10 19:28:58
This is the correct fix. PHP's temporary upload files are only meant to stay where they are for the amount of time it takes your processing script to move them to where they actually belong.
chaos  2009-03-10 19:49:34
At some point, PHP's policy became to delete the temp files at the end of the request if you haven't moved/renamed them, so your entire current mechanism will also break if you upgrade past that version.
chaos  2009-03-10 19:50:30
They are being moved. The file that the PHP upload processing script receives from $_FILES['name']['tmp_name'] is wrong to begin with
noaheverett  2009-03-10 20:02:51
+3  A: 

It sounds like something is seriously wrong with either your PHP installation or whichever system call PHP is internally using to generate the random file names (most likely tempnam).

For everyone else: PHP handles uploaded files internally before the user code is ever processed. These names are stored in $_FILES['file']['tmp_name'] (where 'file' is the (quoted) name of the file input element on the form).

R. Bemrose  2009-03-10 19:32:24
Yes I believe you are correct, now I need to figure out how to fix it =B
noaheverett  2009-03-10 19:39:07
I've been seeing if I could find anything on Google, but I haven't. Does the problem still occur if you set upload_tmp_dir to a different directory?
R. Bemrose  2009-03-10 19:43:28
Yeah just tested it out and the problem still happens when the upload_tmp_dir is set to something different, would "noatime" set on the /var partition (where the files are uploaded to) have an affect on this?
noaheverett  2009-03-10 20:07:18
I wouldn't think so, but I'd have to check. Also, I noticed in the pastebin that the group on those files is set to wheel... another reason to use a different temp directory.
R. Bemrose  2009-03-10 20:26:59
About the wheel group issue: http://www.nabble.com/Problem-when-uploading-files-with-Apache-td21898420.html
R. Bemrose  2009-03-10 20:28:02
I've corrected the group issue and it is now www:www, although that probably wasn't meant to be a fix, the issue is still happening
noaheverett  2009-03-10 20:36:00
As much as I hate suggesting it... is it possible to rebuild PHP from the ports collection?
R. Bemrose  2009-03-10 20:45:51
@noaheverett, have you tried modifying upload_tmp_dir using ini_set and the process ID?
vladr  2009-03-10 23:03:38
A: 

After chasing the relevant code down to _gettemp in FreeBSD 7's libc implementation, I'm unclear regarding how the contents of the file tmp_name could be invalid. (To trace it, you might download a copy of PHP 5.2.8 and read in main/rfc1867.c - line 1018 calls in main/php_open_temporary_file.c, the function starting on line 227, which does it's main work in the function starting on line 97, which, however, is essentially just a wrapper for mkstemp on your system, which is found in the FreeBSD libc implementation on line 66 (linked), which uses _gettemp (same as above) to actually generate the random filename. However the manpage for mkstemp mentions in the BUGS section that the arc4random() function is not reentrant. It might be a possibility that 2 simultaneous requests are entering the critical code section and returning the same tmp_name - I know too little about how Apache works with either mod_php or php-cgi to comment there (though using FastCGI/php-cgi might work - I can't comment successfully on this at this time).

However, aiming for the simpliest solution, if you are not quite experiencing the file tmp_name itself being invalid, but colliding instead with other uploaded files (for example, if using the filename portion of tmp_name as your only source of uniqueness in the stored filename), you could be facing collisions due to the birthday paradox. In another question you mention having some 5,000,000 files to move, and in still another question you mention recieving 30-40k uploads a day. This strikes me as a prime situation for a birthday paradox collision. The mktemp man page mentions that (if using six 'Xs' as PHP does) there are 56,800,235,584 possible filenames (62 ** 6, or 62 ** n where n = number of 'Xs', etc). However, given that you have more than some 5 million files, the probability of a collision is approximately 100% (another heuristic suggests you'll have already experienced some order of 220 collisions already, if ((files*(files-1))/2)/(62**6) means anything, where files = 5,000,000). If this is the problem you are facing (probable, if not adding further entropy to the generated uploaded filename), you might try something like move_uploaded_file($file['tmp_name'], UPLOADS.sha1(mt_rand().$file['tmp_name']).strrchr($file['name'], '.')) - the idea being to add more randomness to the random filename, preventing collisions. An alternative could be to add two more 'Xs' to line 134 of main/php_open_temporary_file.c and recompile.

michaelc  2010-07-19 16:52:57

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases