From 5f351cebd4cc48019217c8721f6aaaf6272b2cb4 Mon Sep 17 00:00:00 2001 From: Lito Date: Wed, 22 Nov 2023 17:04:24 +0100 Subject: [PATCH 1/3] Update validation.md with extensions validator Related https://github.com/laravel/framework/pull/49082 --- validation.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/validation.md b/validation.md index 07202376cb2..286883e61bc 100644 --- a/validation.md +++ b/validation.md @@ -902,6 +902,7 @@ Below is a list of all available validation rules and their function: [Exclude With](#rule-exclude-with) [Exclude Without](#rule-exclude-without) [Exists (Database)](#rule-exists) +[Extensions](#rule-extensions) [File](#rule-file) [Filled](#rule-filled) [Greater Than](#rule-gt) @@ -1325,6 +1326,11 @@ You may explicitly specify the database column name that should be used by the ` 'state' => Rule::exists('states', 'abbreviation'), + +#### extensions:_foo_,_bar_,... + +The file under validation must have an extension corresponding to one of the listed extensions. This validation can be used in combination with [MIME Types](#rule-mimetypes) and [MIME Type By File Extension](#rule-mimes) validators. + #### file @@ -1464,6 +1470,9 @@ To determine the MIME type of the uploaded file, the file's contents will be rea The file under validation must have a MIME type corresponding to one of the listed extensions. +> **Note** +> This validation does not check the correspondence between the mimetype and the extension used for the file name. For example, the `mimes:png` validation would be valid for a PNG type file named `photo.txt`. If you want to validate the extension of the file name itself, you can use the [`extensions`](#rule-extensions) validator. + #### Basic Usage Of MIME Rule From 0f6f27f7c70a9149c003f6384e25e0a2ba61b280 Mon Sep 17 00:00:00 2001 From: Lito Date: Wed, 22 Nov 2023 17:23:23 +0100 Subject: [PATCH 2/3] Added security warning to `extensions` rule. --- validation.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/validation.md b/validation.md index 286883e61bc..9409df6aafa 100644 --- a/validation.md +++ b/validation.md @@ -1329,7 +1329,10 @@ You may explicitly specify the database column name that should be used by the ` #### extensions:_foo_,_bar_,... -The file under validation must have an extension corresponding to one of the listed extensions. This validation can be used in combination with [MIME Types](#rule-mimetypes) and [MIME Type By File Extension](#rule-mimes) validators. +The file under validation must have an extension corresponding to one of the listed extensions. + +> **Warning** +> For security reasons, you should never only validate a file type by its extension. Since `extensions` does not validate that the file type matches its extension, this rule should always be used in combination with the [MIME Types](#rule-mimetypes) or [MIME Type By File Extension](#rule-mimes) validations. #### file From 313facec12f245a2a6faa1a48f3bc7ba9aabac19 Mon Sep 17 00:00:00 2001 From: Taylor Otwell Date: Tue, 28 Nov 2023 09:13:00 -0600 Subject: [PATCH 3/3] formatting --- validation.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/validation.md b/validation.md index 9409df6aafa..b505393a2ff 100644 --- a/validation.md +++ b/validation.md @@ -1329,10 +1329,12 @@ You may explicitly specify the database column name that should be used by the ` #### extensions:_foo_,_bar_,... -The file under validation must have an extension corresponding to one of the listed extensions. +The file under validation must have a user-assigned extension corresponding to one of the listed extensions: + + 'photo' => ['required', 'extensions:jpg,png'], > **Warning** -> For security reasons, you should never only validate a file type by its extension. Since `extensions` does not validate that the file type matches its extension, this rule should always be used in combination with the [MIME Types](#rule-mimetypes) or [MIME Type By File Extension](#rule-mimes) validations. +> You should never rely on validating a file by its user-assigned extension alone. This rule should typically always be used in combinatino with the [`mimes`](#rule-mimes) or [`mimetypes`](#rule-mimetypes) rules. #### file @@ -1471,13 +1473,7 @@ To determine the MIME type of the uploaded file, the file's contents will be rea #### mimes:_foo_,_bar_,... -The file under validation must have a MIME type corresponding to one of the listed extensions. - -> **Note** -> This validation does not check the correspondence between the mimetype and the extension used for the file name. For example, the `mimes:png` validation would be valid for a PNG type file named `photo.txt`. If you want to validate the extension of the file name itself, you can use the [`extensions`](#rule-extensions) validator. - - -#### Basic Usage Of MIME Rule +The file under validation must have a MIME type corresponding to one of the listed extensions: 'photo' => 'mimes:jpg,bmp,png' @@ -1485,6 +1481,11 @@ Even though you only need to specify the extensions, this rule actually validate [https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types](https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types) + +#### MIME Types & Extensions + +This validation rule does not verify agreement between the MIME type and the extension the user assigned to the file. For example, the `mimes:png` validation rule would consider a file containing valid PNG content to be a valid PNG image, even if the file is named `photo.txt`. If you would like to validate the user-assigned extension of the file, you may use the [`extensions`](#rule-extensions) rule. + #### min:_value_