Closed fritzmg closed 3 years ago
I'm not quite sure if there even is a bug.
Did you use the Cores "FormFileUpload" field or is this a custom form widget?
The Cores widget should always report a tmp_name
that's inside TL_ROOT
:
// Add the session entry (see #6986)
$_SESSION['FILES'][$this->strName] = array
(
'name' => $file['name'],
'type' => $file['type'],
'tmp_name' => TL_ROOT . '/' . $strFile,
'error' => $file['error'],
'size' => $file['size'],
'uploaded' => true,
'uuid' => $strUuid
);
Good point. Yes we do use the regular form upload. I'll debug the issue further why the tmp_name
is not within TL_ROOT
in our case.
With the addition of the
validateFormField
hook in https://github.com/numero2/contao-proper-filenames/commit/76b317218cc40cbd7349277910c1edce094ccb25 the following error will now appear in the front end (in Contao 4.4 at least):I am not sure the current code can ever work, because
tmp_name
is, as the name implies, a temporary location which might be somewhere outside the project root and thusStringUtil::stripRootDir
will always fail.I would propose the following changes:
CheckFilenames::renameFiles
so that it can work with both absolute and project root relative file paths.Filesystem
instead of legacyContao\Files
.I can provide an according PR.