From b14a6814d8db49baa6d2a468ad36e88a00cdbfb5 Mon Sep 17 00:00:00 2001
From: Mark Story <mark@mark-story.com>
Date: Mon, 28 Mar 2016 22:05:59 -0400
Subject: [PATCH] Fix possibility for spoofed files to pass validation.

Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through.
---
 src/Validation/Validation.php                |  2 +-
 tests/TestCase/Validation/ValidationTest.php |  2 ++
 tests/TestCase/Validation/stubs.php          | 28 ++++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 tests/TestCase/Validation/stubs.php

diff --git a/src/Validation/Validation.php b/src/Validation/Validation.php
index 101f231bf7b..015c5811f0d 100644
--- a/src/Validation/Validation.php
+++ b/src/Validation/Validation.php
@@ -1004,7 +1004,7 @@ public static function uploadedFile($file, array $options = [])
         if (isset($options['types']) && !static::mimeType($file, $options['types'])) {
             return false;
         }
-        return true;
+        return is_uploaded_file($file['tmp_name']);
     }
 
     /**
diff --git a/tests/TestCase/Validation/ValidationTest.php b/tests/TestCase/Validation/ValidationTest.php
index 88db6ef13f4..a8c1d04a95e 100644
--- a/tests/TestCase/Validation/ValidationTest.php
+++ b/tests/TestCase/Validation/ValidationTest.php
@@ -20,6 +20,8 @@
 use Cake\Validation\Validation;
 use Locale;
 
+require_once __DIR__ . '/stubs.php';
+
 /**
  * Test Case for Validation Class
  *
diff --git a/tests/TestCase/Validation/stubs.php b/tests/TestCase/Validation/stubs.php
new file mode 100644
index 00000000000..5cade50641b
--- /dev/null
+++ b/tests/TestCase/Validation/stubs.php
@@ -0,0 +1,28 @@
+<?php
+/**
+ * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
+ * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ *
+ * Licensed under The MIT License
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
+ * @link          http://cakephp.org CakePHP(tm) Project
+ * @since         3.2.5
+ * @license       http://www.opensource.org/licenses/mit-license.php MIT License
+ */
+namespace Cake\Validation {
+    /**
+     * Use namespace injection to overwrite is_uploaded_file()
+     * during tests.
+     *
+     * @param string $filename The file to check.
+     * @return bool Whether or not the file exists.
+     */
+    function is_uploaded_file($filename)
+    {
+        return file_exists($filename);
+    }
+}
+