Fix possibility for spoofed files to pass validation.

Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through.

Author: markstory

src/Validation/Validation.php

@@ -1029,7 +1029,7 @@ public static function uploadedFile($file, array $options = [])
         if (isset($options['types']) && !static::mimeType($file, $options['types'])) {
             return false;
         }
-        return true;
+        return is_uploaded_file($file['tmp_name']);
     }
 
     /**

tests/TestCase/Validation/ValidationTest.php

@@ -21,6 +21,8 @@
 use Cake\Validation\Validation;
 use Locale;
 
+require_once __DIR__ . '/stubs.php';
+
 /**
  * Test Case for Validation Class
  *

tests/TestCase/Validation/stubs.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
+ * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ *
+ * Licensed under The MIT License
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ * @link          http://cakephp.org CakePHP(tm) Project
+ * @since         3.2.5
+ * @license       http://www.opensource.org/licenses/mit-license.php MIT License
+ */
+namespace Cake\Validation {
+    /**
+     * Use namespace injection to overwrite is_uploaded_file()
+     * during tests.
+     *
+     * @param string $filename The file to check.
+     * @return bool Whether or not the file exists.
+     */
+    function is_uploaded_file($filename)
+    {
+        return file_exists($filename);
+    }
+}
+