Input sanitization ?

[IP-Developer]

How are the file names / flowIdentifier sanitized before being used ? Maybe I'm wrong, but looking at the code, I can't see any checks being made that would prevent a directory traversal attack for example.

[AidasK]

Good catch. Feel free to overwrite any file in any project.

Fix can be placed on this line, we need to sanitize identifier and chunk index.
https://github.com/flowjs/flow-php-server/blob/master/src/Flow/File.php#L61

Can you contribute on this?

[IP-Developer]

I think it is a really bad idea to use any user input when processing chunks. The first step is to validate everything, presence of flow* variables in $_REQUEST, and the values accordingly (flowChunkNumber, flowTotalChunks, flowChunkSize, flowTotalSize being integers).
Chunks should have some slugified/sanitized names (you can use SplFileInfo to sanitize, more like using getBaseName(), to prevent directory traversal), and the package should prompt for the final file name and path.

[AidasK]

I think it would be enough to change one line in this lib to make it safe.
https://github.com/flowjs/flow-php-server/blob/master/src/Flow/File.php#L61

Should be changed to:
return $this->config->getTempDir().DIRECTORY_SEPARATOR.basename($this->identifier).'_'. (int) $index;

This method is reused in every case.

Final file name is not a concern of this library, it is up to the developer to make it safe.