[Validator] Add extensions option to File constraint #39063
Conversation
|
|
||
| if ($constraint->extensions) { | ||
| if ($value instanceof FileObject) { | ||
| $fileExtension = $value->getExtension(); |
There was a problem hiding this comment.
$fileExtension = $value instanceof FileObject ? $value->getExtension() : (new FileObject($value))->getExtension();|
|
||
| $extensions = (array) $constraint->extensions; | ||
|
|
||
| foreach ($extensions as $extension) { |
There was a problem hiding this comment.
if(in_array($fileExtension, $extensions)) {
return;|
I've read this PR many times and I've always been a bit reluctant to accept it. I think I'm 👎 as I don't want to promote such a practice. Let see what @symfony/mergers think. |
|
I agree with @fabpot, I'm therefor closing. Thanks for proposing. |
|
Hey 👋 |
|
This name field is pure user input. As such, it cannot prevent any malicious input. Precisely because this is a common mistake - thinking that it could save from a malicious user as you just did - adding this could create a false sense of added security. |
|
Thanks @nicolas-grekas 👍 |
Add an
extensionsoption to theFileconstraint to validate that the given file has the expected extension.Even if the extension can be easily changed and that checking the MIME type is a better validation, it can be useful for instance to validate an APK file (the MIME type is often
application/zip) or simply to prevent a user mistake.