Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RenameUpload filter breaks UploadFile validator #33

Closed
BigMichi1 opened this issue Nov 2, 2021 · 1 comment
Closed

RenameUpload filter breaks UploadFile validator #33

BigMichi1 opened this issue Nov 2, 2021 · 1 comment
Labels
Bug Something isn't working

Comments

@BigMichi1
Copy link

Bug Report

Q A
Version laminas-validator 2.15.0
Version laminas-filter 2.12.0

Summary

when the RenameUpload filter is added to a field containing the UploadFile validator the UploadFile validator fails and issues an error about a possible attack

the reason for that is that inside the UploadFile a check is performed using the tmp_name to check if the file was uploaded by using the method is_uploaded_file. as the RenameUpload filter is applied before calling the validator the tmp_name has been already changed based on the configuration for the RenameUpload filter and so the check fails as tmp_name is no longer the name to the uploaded file in the $_FILES array

Current behavior

impossible to upload a file when the RenameUpload filter and the UploadFile validator are used on the same field

How to reproduce

configure a field like this (using array notation for configuring a field):

    public function getInputFilterSpecification(): array
    {
        return [
            'logo' => [
                'required' => false,
                'validators' => [
                    [
                        'name' => UploadFile::class,
                    ],
                ],
                'filters' => [
                    [
                        'name' => RenameUpload::class,
                        'options' => [
                            'target' => './public_html/img/uploads/logo',
                            'randomize' => true,
                        ],
                    ],
                ],
            ],
        ];
    }

Expected behavior

the filter and validator can be used together
@BigMichi1 BigMichi1 added the Bug Something isn't working label Nov 2, 2021
@froschdesign
Copy link
Member

@BigMichi1
This topic is related to laminas-inputfilter because filtering is not a part of laminas-validator.

as the RenameUpload filter is applied before calling the validator

The validators are run before the filters. Please compare with:

Please open new issue report on laminas-inputfilter and add a full code example which allows to reproduce the problem or create a pull request with a unit test which illustrates the problem.

@BigMichi1 BigMichi1 mentioned this issue Nov 2, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BigMichi1 @froschdesign