-
-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error ATTACK from FileUploadFile #125
Comments
Once the file is moved, any kind of upload validation will obviously fail. In practice, the "is uploaded file" validation can only be performed when validating unfiltered input. |
@diegobittencourt This is my short test: include_once __DIR__ . '/vendor/autoload.php';
if (count($_FILES)) {
$config = [
[
'type' => Laminas\InputFilter\FileInput::class,
'name' => 'image',
'validators' => [
[
'name' => Laminas\Validator\File\UploadFile::class,
],
[
'name' => Laminas\Validator\File\MimeType::class,
'options' => [
'mimeType' => [
'image/jpeg',
'image/png',
],
],
],
[
'name' => Laminas\Validator\File\IsImage::class,
],
[
'name' => Laminas\Validator\File\ImageSize::class,
'options' => [
'minWidth' => 128,
'minHeight' => 128,
'maxWidth' => 4096,
'maxHeight' => 4096,
],
],
],
'filters' => [
[
'name' => Laminas\Filter\File\RenameUpload::class,
'options' => [
'target' => './docs',
'use_upload_name' => false,
'use_upload_extension' => true,
'overwrite' => true,
'randomize' => true,
],
],
],
],
];
$inputFilter = (new Laminas\InputFilter\Factory())
->createInputFilter($config)
->setData($_FILES);
var_dump($_FILES);
var_dump($inputFilter->isValid());
var_dump($inputFilter->getMessages());
// Execute rename filter
$inputFilter->getValues();
}
?>
<form method="post" enctype="multipart/form-data">
<input type="file" name="image">
<input type="submit">
</form>
The input |
This > 2 year old issue does not seem to be an issue… |
Bug Report
My upload file validator is configured as below:
Error ATTACK is send from validador FileUploadFile:
ATTACK => "File '%value%' was illegally uploaded. This could be a possible attack"
The error comes from:
The function is_uploaded_file returns false always after call move_upload_file.
The function move_upload_file is call from Filter FileRenameUpload.
I believe the ATTACK error is correct, but if I call FileUploadRename the ATTACK error will be called inconveniently.
This is unexpected behavior in the development of features, or is there a way to disable ATTACK error so that this does not occur.
The text was updated successfully, but these errors were encountered: