phUloader v1.3 CHMOD settings

[paulus]

Hi,
Happy easter for everyone!
This is the first time I'm trying to implement a php script instead of the usual javascripts. I can read a php script but I'm not able (yet) to write such a script myself.
I love this script because of its simplicity and the fact that it offers a lot of options I'm looking for, but ................. I'm stuck because Apache seems to be the owner of uploaded files (CHMOD 0600) The person who uploads a file can access it by clicking on the URL in the html output. Suppose someone else uploads a file to my site. I'm not the owner and therefore I cant access it.
On 06.23.2008 Scott explained to Yogi how to adapt the phUploader script v1.2 in order to make the script change the CHMOD settings of uploaded files to 0755.
Because the code of v1.3 differs from v1.2 and mainly because it's security issue I prefer to pose the question to you experts instead of experimenting.
Thanks in advance for your kind help.
Regards
Paul

[Scott]

There are a few thing you can do to help your situation. The first is to CHMOD your files after upload.

After this: (line 246)

PHP Code:

                    If(move_uploaded_file($_FILES['file']['tmp_name'][$i],$folder.$file_name[$i].".".$file_ext[$i])) { 


ADD This:

PHP Code:

@chmod($folder.$file_name[$i].".".$file_ext[$i], 0755); 


If that does not solve your issue you may want to play around with the chown function. http://php.net/manual/en/function.chown.php but I've personally never had to use it. It would work the same way as chmod, you'd add it below your chmod function. Example:

PHP Code:

If(move_uploaded_file($_FILES['file']['tmp_name'][$i],$folder.$file_name[$i].".".$file_ext[$i])) {
    chmod($folder.$file_name[$i].".".$file_ext[$i], 0755);
    chown($folder.$file_name[$i].".".$file_ext[$i], "YOUR_LINUX_USER_NAME") 


[paulus]

Thanks Scott
Your @chmod(....etc) suggestion solved my problem.
Paul

[paulus]

Sorry Scott, I was too fast confirming that the @chmod(....etc) suggestion solved my problem.
What happens now is way above my capacity.
The sizes of the files send and received are different.
I've uploaded a .doc file, size: 22,528 bytes and received 22,549 bytes.
I've uploaded a .jpg file, size: 5,837 bytes and received 5,847 bytes.
I'm not able to open the word document (Office error message "try to open and repair" which doesn't work) and the jpg image is distorted (some parts invisible, some parts greyed out).
Same problem with uploaded pdf (shows a blank page), zip and rar (unable to open) files
When I remove the @chmod line the file size doesn't change, but I can't download them (initial CHMOD 0600 problem)
Any idea what happens here?
Paul

[paulus]

Hi Scott,
This morning I contacted my hosting company.
I found out that due to security issues (shared webhosting) they configured PHP in safe_mode.
They told me that the script probably doesn’t assign a specific owner of the uploaded files and therefore automatically Apache becomes the owner. The support guy suggested that under these conditions perhaps changing ownership after uploading could damage the files.
Hope this extra info helps solving the problem.
Paul

[Scott]

That's when the chown function posted above would come in handy. That way right after upload you can give yourself ownership of the file.

[paulus]

Hi Scott,
I've been abroad for a few days so I wasn't able to check immediately chown.
Well, it works fine now.
Thanks for your kind and professional help.
Paul