The PHP documentation for is_uploaded_file says:
Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance,
/etc/passwd
.
It also suggests this:
For proper working, the function is_uploaded_file() needs an argument like $_FILES['userfile']['tmp_name'], - the name of the uploaded file on the client's machine $_FILES['userfile']['name'] does not work.
But as far as I know tmp_name
isn't user controlled anyways, so the check shouldn't be required.
And if I use name
instead of tmp_name
when uploading files (for example by using copy
instead of move_uploaded_file
), my file upload script wouldn't actually work, as it would always move the wrong file.
My questions:
- The comments mention that
move_uploaded_file
performs theis_uploaded_file
check itself, it that true? - Is
tmp_name
user controlled in any way? - Is there a realistic scenario where
is_uploaded_file
is actually required when uploading a file - or when performing any other action such as reading, deleting, etc. - , as there would be a vulnerability without it? Or is the function completely useless?