This comment in file_save_upload() seems to have been moved around within Drupal several times, to the point where I'm not sure where it originally came from back in the mists of time:
// Move uploaded files from PHP's upload_tmp_dir to Drupal's temporary
// directory. This overcomes open_basedir restrictions for future file
// operations.
$file->setFileUri($file->destination);
if (!drupal_move_uploaded_file($file_info->getRealPath(), $file->getFileUri())) {
It's no longer correct, and is quite misleading; the uploaded file is being moved to its actual destination here rather than into Drupal's temporary directory.
I think we can see the patch which changed this functionality here: #115267-67: Simplify File Uploads, Centralize File Validation and Quotas, Fix File Previews....
There was subsequently some discussion about changing the way this works re. open_basedir in #357469: file_save_upload() fails to handle open_basedir restriction, however, based on the apparent lack of progress / discussion there it looks like Damien Tournoud was probably right to mark it as "Closed (won't fix)" (in #22), saying:
move_uploaded_file() is affected by open_basedir restrictions. That means that you have to make sure that the upload_tmp_dir is in the open_basedir paths for file uploads to work in any PHP application in the first place.
Note that there is also a relevant workaround in place in FileSystem::moveUploadedFile
So with that context, it looks like the comment about moving the uploaded file to Drupal's temp directory should be removed or at least updated.