search

laminas / laminas-inputfilter

Normalize and validate input sets from the web, APIs, the CLI, and more, including files
https://docs.laminas.dev/laminas-inputfilter/
BSD 3-Clause "New" or "Revised" License
42 stars 28 forks source link

RenameUpload filter breaks UploadFile validator #41

Closed BigMichi1 closed 3 years ago

BigMichi1 commented 3 years ago

Bug Report

Q A
Version laminas-validator 2.15.0
Version laminas-filter 2.12.0
Version laminas-inputfilter 2.12.0

Summary

when the RenameUpload filter is added to a field containing the UploadFile validator the UploadFile validator fails and issues an error about a possible attack

see also https://github.com/laminas/laminas-filter/issues/33

the reason for that is that inside the UploadFile a check is performed using the tmp_name to check if the file was uploaded by using the method is_uploaded_file. as the RenameUpload filter is applied before calling the validator the tmp_name has been already changed based on the configuration for the RenameUpload filter and so the check fails as tmp_name is no longer the name to the uploaded file in the $_FILES array

Current behavior

impossible to upload a file when the RenameUpload filter and the UploadFile validator are used on the same field

How to reproduce

configure a field like this (using array notation for configuring a field):

    public function getInputFilterSpecification(): array
    {
        return [
            'logo' => [
                'required' => false,
                'validators' => [
                    [
                        'name' => UploadFile::class,
                    ],
                ],
                'filters' => [
                    [
                        'name' => RenameUpload::class,
                        'options' => [
                            'target' => './public_html/img/uploads/logo',
                            'randomize' => true,
                        ],
                    ],
                ],
            ],
        ];
    }

Expected behavior

the filter and validator can be used together

froschdesign commented 3 years ago

@BigMichi1 As written before:

as the RenameUpload filter is applied before calling the validator

The file validators are run before the filters. Please compare with:

Please add a full code example which allows to reproduce the problem or create a pull request with a unit test which illustrates the problem.

froschdesign commented 3 years ago

@BigMichi1 Please set the type for the input:

$config = [
    [
        'type'       => Laminas\InputFilter\FileInput::class,
        'name'       => 'logo',
        'required'   => false,
        // …

See the related documentation: https://docs.laminas.dev/laminas-inputfilter/file-input/#basic-usage

BigMichi1 commented 3 years ago

thank you so much, exactly this line was missing. it looks like I should not have started to use that array notation, I was also playing around with the examples from https://docs.laminas.dev/laminas-inputfilter/file-input/#basic-usage and they worked. just overlooked this one little piece of information