PHP - Why use move_uploaded_file and not rename?

Question

In the manual I can see it says something about security reasons, but I didn't quite understand what is the problematic situation.

This function checks to ensure that the file designated by filename is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload mechanism). If the file is valid, it will be moved to the filename given by destination.

This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.

So it makes sure it was uploaded via PHP, but if it will not check that, what could happen? what information could be revealed, and how?

Can someone explain this? An example will be great.

Answer 1

The security issue in this case is the upload directory will be visible to public.

To avoid this case, you need to configure your web server such as Apache to make the directory forbidden to public.

Also, whenever you upload file through PHP script, rename files with mixed characters.

For example, you could use encrypted timestamps combined with actual file name.

It seems to be conventional to handle file uploads. You could stick with this way to handle file uploads securely.

EDITED:

This answer is edited as per your question in the comment.

You need to have an existing file within any of your www directory to rename it with rename($existing_old_file_name, $new_file_name) function.

move_uploaded_file($tmp_uploaded_file_name, $new_file_name) function moves the uploaded file from the tmp directory to the destination you specify as a second parameter in the function.

Answer 2

A PHP script will likely move files around whose name is determined at runtime (the name of a temporary file that has just been uploaded). The check is meant to ensure that poorly-written scripts don't expose system files, or files containing authentication secrets.

Suppose I write a script that lets you upload an image to my server, enhance it by embedding some super-cute cat gifs that I provide, and download it again. To keep track of which image you are working on, I embed the file name in the request URLs for my edit buttons:

http://example.com/add-kitty.php?img=ato3508.png&add=kitty31.gif

Or maybe I embed the same information in a cookie or POST data, wrongly thinking that this makes it more secure. Then some moderately enterprising script kiddie comes by and tries this (or the POST/cookie equivalent):

http://example.com/add-kitty.php?img=$2Fetc%2Fpasswd&add=kitty31.gif

See it? That's the path /etc/passwd , url-encoded. Oops! You may have just made your /etc/passwd file available for download, with a little kitty noise in the middle.

Obviously this is not a full working exploit for anything, but I trust you get the idea: The move_uploaded_file function makes the extra check to protect you from attacks that will inject an unintended filename into your code.