apache 2.x + php 5.x http post temporary file name non-randomness

Mon Nov 12 12:42:10 PST 2007

There seems to be a bug (or feature?) somewhere that limits the number 
of unique temporary file names used when storing temporary files that 
are uploaded by posting a form. Looking through my webserver logs of 
110000 file uploads, I find no more than 495 unique temporary file names 
which are being reused again and again.
(File name example: /var/tmp/phpzzJuIt)

I think PHP is supposed to use mkstemp(). From the mkstemp(3) manual:
"The number of unique file names mktemp() can return depends on the 
number of `Xs' provided; six `Xs' will result in mktemp() selecting one 
of 56800235584 (62 ** 6) possible temporary file names."

PHP uses 6 Xs. This makes the low number of observed unique file names 
(495) a bit disappointing.

I have the same problem on the following 2 combinations:
amd64 + freebsd 6.0 + php 5.1 + apache 2.0 prefork MPM (+ several php 
extensions)
amd64 + freebsd 6.2 + php 5.2 + apache 2.2 prefork MPM (+ several php 
extensions)

Does anyone know what causes this and/or how to fix it?

The attached patch for php 5.2.4 Works For Me(tm), but I'd rather have 
the problem fixed at it's source than working around it...

--
Erik

-------------- next part --------------

--- main/php_open_temporary_file.c.orig	Mon Nov 12 18:46:03 2007
+++ main/php_open_temporary_file.c	Mon Nov 12 18:49:30 2007
@@ -101,6 +101,7 @@
 	char cwd[MAXPATHLEN];
 	cwd_state new_state;
 	int fd = -1;
+	struct timeval tval;
 #ifndef HAVE_MKSTEMP
 	int open_flags = O_CREAT | O_TRUNC | O_RDWR
 #ifdef PHP_WIN32
@@ -131,7 +132,8 @@
 		trailing_slash = "/";
 	}
 
-	if (spprintf(&opened_path, 0, "%s%s%sXXXXXX", new_state.cwd, trailing_slash, pfx) >= MAXPATHLEN) {
+	gettimeofday(&tval, NULL);
+	if (spprintf(&opened_path, 0, "%s%s%s_%d_%d_XXXXXX", new_state.cwd, trailing_slash, pfx, tval.tv_sec, tval.tv_usec) >= MAXPATHLEN) {
 		efree(opened_path);
 		free(new_state.cwd);
 		return -1;
