-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FileValidator validateExtension not working correctly on PHP 8.1 #19307
Comments
|
Let's dive into source deeper:
//This branch will be executed on PHP 8.1, ignoring $checkExtension and starts to check extension (which is absent!). Added on 2.0.45 and breaks code.
|
your diversion? (: |
|
Yes, I saw this change but don't work with fileinfo ext before so don't know how to fix it :-( |
@Akdmeh where code |
helpers/BaseFileHelper.php line 165 (in 2.0.45) |
@Akdmeh i can't find this in current master branch |
Maybe, this commit deleting this buggy lines and it will fix this issue in next release (2.0.46)? |
@Akdmeh can you load master branch and check your code? |
We worked around this issue(temporary) by adding |
Yes, |
Yes, it's fixed in current master. |
What steps will reproduce the problem?
Trying to validate image on model, f.e. picture.jpg
['image', 'image', 'extensions'=>['jpg', 'jpeg', 'png', 'gif']],
I think, the problem is in BaseFileHelper:getMimeType.
Let's see:
Inside FileValidator (which ImageValidator extends) we're trying to get file extension by mime-type via code:
$mimeType = FileHelper::getMimeType($file->tempName, null, false);
As you see, we send tempName (in my case it have temp path like /tmp/phpn1MNFs, no extension at all!).
But then the magic is going inside FileHelper (and BaseFileHelper).
First, this fallback won't work well:
if (!extension_loaded('fileinfo')) { if ($checkExtension) { return static::getMimeTypeByExtension($file, $magicFile); }
We send /tmp/phpn1MNFs into $file variable, so no extension available which leads always to null and uncorrect result.
Next, if fileinfo available, new lines added recently on 2.0.45:
if (PHP_VERSION_ID >= 80100) { return static::getMimeTypeByExtension($file, $magicFile); }
Again, $file does not have any extension so it will always return null!
That's the reason of this bug.
As I can understand, before PHP 8.1 code validated via fileinfo (on next lines of this method), but new code disables fileinfo checks for PHP 8.1 and run getMimeTypeByExtension instead, which cannot work well with temp upload file without extension.
But it works well before (on Yii 2.0.44 & PHP 8.1) in my case.
What is the expected result?
Successfull validation
What do you get instead?
Validation failed
Possible ways to fix
Send not tmpName but original file name (possible vulnerabilities included, so this way needs deeper inspection).
OR
Fix code in method BaseFileHelper::getMimeType to work with fileinfo & PHP 8.1 correctly.
Honestly, I don't see a reason to add:
if (PHP_VERSION_ID >= 80100) { ... } fix, because whole next code works well in my case, so maybe I'm missing some other behaviour in other parts of code.
I temporarily fixed error by setting checkExtensionByMimeType inside validator to false, but Yii 2.0.45 on PHP 8.1 will break existing file extension checks.
Additional info
The text was updated successfully, but these errors were encountered: