diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[HttpFoundation] UploadedFile - moved a security check

Browse Source 
Squashed commit of the following:

commit b03b32ecc985c4a4f9dc7df2d3336a4cd75aae30
Merge: fb7004b fc70e13
Author: Bilal Amarni <bilal.amarni@gmail.com>
Date:   Wed Feb 27 11:33:37 2013 +0100

    [HttpFoundation] UploadedFile - moved a security check

commit fc70e138c1d3858775c9efe51268cae6d7ec3f69
Author: Bilal Amarni <bilal.amarni@gmail.com>
Date:   Thu Jan 24 11:07:29 2013 +0100

    explicitly passed UPLOAD_ERR_OK constant in a test

commit dda03a2faab9539ca3a93736dd2bc0ec27feb4e7
Author: Bilal Amarni <bilal.amarni@gmail.com>
Date:   Fri Jan 18 17:24:06 2013 +0100

    [HttpFoundation] UploadedFile - moved a security check from move() to isValid()
This commit is contained in:
Bilal Amarni 2013-03-23 10:56:11 +01:00
parent 69dbbdda3d
commit 5bb44f52a0
4 changed files with 35 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/Symfony/Component/HttpFoundation/File/UploadedFile.php
View File

@ -179,13 +179,15 @@ class UploadedFile extends File
/** /**
* Returns whether the file was uploaded successfully. * Returns whether the file was uploaded successfully.
* *
* @return Boolean True if no error occurred during uploading * @return Boolean True if the file has been uploaded with HTTP and no error occurred.
* *
* @api * @api
*/ */
public function isValid() public function isValid()
{ {
return $this->error === UPLOAD_ERR_OK; $isOk = $this->error === UPLOAD_ERR_OK;
return $this->test ? $isOk : $isOk && is_uploaded_file($this->getPathname());
} }
/** /**
@ -196,7 +198,7 @@ class UploadedFile extends File
* *
* @return File A File object representing the new file * @return File A File object representing the new file
* *
* @throws FileException if the file has not been uploaded via Http * @throws FileException if, for any reason, the file could not have been moved
* *
* @api * @api
*/ */
@ -205,7 +207,8 @@ class UploadedFile extends File
if ($this->isValid()) { if ($this->isValid()) {
if ($this->test) { if ($this->test) {
return parent::move($directory, $name); return parent::move($directory, $name);
} elseif (is_uploaded_file($this->getPathname())) { }
$target = $this->getTargetFile($directory, $name); $target = $this->getTargetFile($directory, $name);
if (!@move_uploaded_file($this->getPathname(), $target)) { if (!@move_uploaded_file($this->getPathname(), $target)) {
@ -217,9 +220,8 @@ class UploadedFile extends File
return $target; return $target;
} }
}
throw new FileException(sprintf('The file "%s" has not been uploaded via Http', $this->getPathname())); throw new FileException(sprintf('The file "%s" is not valid', $this->getPathname()));
} }
/** /**

16
src/Symfony/Component/HttpFoundation/Tests/File/UploadedFileTest.php
View File

@ -197,7 +197,8 @@ class UploadedFileTest extends \PHPUnit_Framework_TestCase
'original.gif', 'original.gif',
null, null,
filesize(__DIR__.'/Fixtures/test.gif'), filesize(__DIR__.'/Fixtures/test.gif'),
UPLOAD_ERR_OK UPLOAD_ERR_OK,
true
); );
$this->assertTrue($file->isValid()); $this->assertTrue($file->isValid());
@ -229,4 +230,17 @@ class UploadedFileTest extends \PHPUnit_Framework_TestCase
array(UPLOAD_ERR_EXTENSION), array(UPLOAD_ERR_EXTENSION),
); );
} }
public function testIsInvalidIfNotHttpUpload()
{
$file = new UploadedFile(
__DIR__.'/Fixtures/test.gif',
'original.gif',
null,
filesize(__DIR__.'/Fixtures/test.gif'),
UPLOAD_ERR_OK
);
$this->assertFalse($file->isValid());
}
} }

4
src/Symfony/Component/HttpKernel/Tests/ClientTest.php
View File

@ -114,7 +114,7 @@ class ClientTest extends \PHPUnit_Framework_TestCase
$files = array( $files = array(
array('tmp_name' => $source, 'name' => 'original', 'type' => 'mime/original', 'size' => 123, 'error' => UPLOAD_ERR_OK), array('tmp_name' => $source, 'name' => 'original', 'type' => 'mime/original', 'size' => 123, 'error' => UPLOAD_ERR_OK),
new UploadedFile($source, 'original', 'mime/original', 123, UPLOAD_ERR_OK), new UploadedFile($source, 'original', 'mime/original', 123, UPLOAD_ERR_OK, true),
); );
foreach ($files as $file) { foreach ($files as $file) {
@ -147,7 +147,7 @@ class ClientTest extends \PHPUnit_Framework_TestCase
$file = $this $file = $this
->getMockBuilder('Symfony\Component\HttpFoundation\File\UploadedFile') ->getMockBuilder('Symfony\Component\HttpFoundation\File\UploadedFile')
->setConstructorArgs(array($source, 'original', 'mime/original', 123, UPLOAD_ERR_OK)) ->setConstructorArgs(array($source, 'original', 'mime/original', 123, UPLOAD_ERR_OK, true))
->setMethods(array('getSize')) ->setMethods(array('getSize'))
->getMock() ->getMock()
; ;

2
src/Symfony/Component/Validator/Tests/Constraints/FileValidatorTest.php
View File

@ -82,7 +82,7 @@ abstract class FileValidatorTest extends \PHPUnit_Framework_TestCase
$this->context->expects($this->never()) $this->context->expects($this->never())
->method('addViolation'); ->method('addViolation');
$file = new UploadedFile($this->path, 'originalName'); $file = new UploadedFile($this->path, 'originalName', null, null, null, true);
$this->validator->validate($file, new File()); $this->validator->validate($file, new File());
} }