Contrib.social

Can't upload when filefield_paths_temp_location has nested temporary:// dirs

Open on Drupal.org →
Created on 16 December 2022, almost 2 years ago
Updated 14 May 2024, 6 months ago

Problem/Motivation

Whilst this behaviour was exposed on a recent upgrade from 7.x-1.1 to 7.x-1.2, I believe it would have affected earlier versions.

I have a site where filefield_paths_temp_location was set to public://protected/tmp . The site has a custom setup (combination of apache .htaccess rules and custom permissions module) which ensures that public://protected/tmp is not accessible. Upon upgrading to 7.x-1.2, this was rewritten to temporary://protected/tmp . When I then try to upload a file to a field using filefield_paths, the node/add form reports "File upload error. Could not move uploaded file.", and the Drupal log notes

Warning: move_uploaded_file(): Unable to move '/tmp/phpvra1WP' to 'temporary://protected/tmp/file.pdf' in drupal_move_uploaded_file() (line 1711 of /var/www/drupal/alt36/includes/file.inc).

The system uses systemd tmpfiles, so the target file destination is /tmp/$SYSTEMD_TMP_PATH/tmp/protected/tmp/ but there has been no call to e.g. file_prepare_directory() to ensure that that directory exists.

Note that if I go to admin/config/media/file-system/filefield-paths , set the temporary file location and save then the form validation hook calls file_prepare_directory() and creates the appropriate directory structure and I can upload files OK. However, upon rebooting the server, /tmp is of course emptied and I have the same problem.

My workaround has been to manually reset the temporary file location to the original public://protected/tmp (via the admin form to ensure file_prepare_directory() is called, rather than using variable_set as in filefield_paths_update_7108() )

🐛 Bug report
Status

Active

Version

1.2

Component

Code

Created by

🇬🇧United Kingdom alt36

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇵🇭Philippines rusylnarito

    files are going to temporary even the public , also private is already configured with writable but still going to temporary

  • Status changed to Closed: works as designed 6 months ago
  • Comment 6 months ago
    solideogloria

    I'm going to close. I'm not the maintainer, but the security update was important. There's no way for the module to detect whether your public directory is properly secured, so I think it's best to assume that site maintainers will manually change the setting after database updates if needed.

  • Status changed to Active 6 months ago
  • Comment 6 months ago
    solideogloria

    The system uses systemd tmpfiles, so the target file destination is /tmp/$SYSTEMD_TMP_PATH/tmp/protected/tmp/ but there has been no call to e.g. file_prepare_directory() to ensure that that directory exists.

    This part could still be an issue.

    The part that's not an issue is the automated change from public:// to temporary://

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024