Error ATTACK from FileUploadFile #125
Comments
|
Once the file is moved, any kind of upload validation will obviously fail. In practice, the "is uploaded file" validation can only be performed when validating unfiltered input. |
Ocramius
added
Documentation
Documentation Needed
and removed
Bug
|
@diegobittencourt This is my short test: include_once __DIR__ . '/vendor/autoload.php';
if (count($_FILES)) {
$config = [
[
'type' => Laminas\InputFilter\FileInput::class,
'name' => 'image',
'validators' => [
[
'name' => Laminas\Validator\File\UploadFile::class,
],
[
'name' => Laminas\Validator\File\MimeType::class,
'options' => [
'mimeType' => [
'image/jpeg',
'image/png',
],
],
],
[
'name' => Laminas\Validator\File\IsImage::class,
],
[
'name' => Laminas\Validator\File\ImageSize::class,
'options' => [
'minWidth' => 128,
'minHeight' => 128,
'maxWidth' => 4096,
'maxHeight' => 4096,
],
],
],
'filters' => [
[
'name' => Laminas\Filter\File\RenameUpload::class,
'options' => [
'target' => './docs',
'use_upload_name' => false,
'use_upload_extension' => true,
'overwrite' => true,
'randomize' => true,
],
],
],
],
];
$inputFilter = (new Laminas\InputFilter\Factory())
->createInputFilter($config)
->setData($_FILES);
var_dump($_FILES);
var_dump($inputFilter->isValid());
var_dump($inputFilter->getMessages());
// Execute rename filter
$inputFilter->getValues();
}
?>
<form method="post" enctype="multipart/form-data">
<input type="file" name="image">
<input type="submit">
</form>
The input |
froschdesign
added
Awaiting Author Updates
Question
gsteel
added
Invalid
|
This > 2 year old issue does not seem to be an issue… |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Report
My upload file validator is configured as below:
[ 'type' => FileInput::class, 'name' => 'image_2', 'required' => false, 'validators' => [ [ 'name' => 'FileUploadFile', ], [ 'name' => 'FileMimeType', 'options' => [ 'mimeType' => [ 'image/jpeg', 'image/png' ] ] ], [ 'name' => 'FileIsImage' ], [ 'name' => 'FileImageSize', 'options' => [ 'minWidth' => 128, 'minHeight' => 128, 'maxWidth' => 4096, 'maxHeight' => 4096 ] ], ], 'filters' => [ [ 'name' => 'FileRenameUpload', 'options' => [ 'target' => './public/img', 'useUploadName' => false, 'useUploadExtension' => true, 'overwrite' => true, 'randomize' => true, ] ] ], ],Error ATTACK is send from validador FileUploadFile:
ATTACK => "File '%value%' was illegally uploaded. This could be a possible attack"The error comes from:
The function is_uploaded_file returns false always after call move_upload_file.
The function move_upload_file is call from Filter FileRenameUpload.
I believe the ATTACK error is correct, but if I call FileUploadRename the ATTACK error will be called inconveniently.
This is unexpected behavior in the development of features, or is there a way to disable ATTACK error so that this does not occur.
The text was updated successfully, but these errors were encountered: