[Validator] File: add option to check extension #47710
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c0270d7 to
8b3fff2
Compare
|
Related 😄 #39063 |
|
My patch is a bit more advanced than #39063 and prevents real security issues.
The other PR was only checking the extension, without checking the actual content of the file. My patch can be seen as an easier way to configure the accepted MIME types and an extra check for consistency between the mime type and the extension. When using only mime-type validation, you may have issues:
With my patch, if you only allow |
|
My patch also prevents uploading files with misleading extensions (.e.g., a GIF named |
nicolas-grekas
approved these changes
Sep 28, 2022
72ba357 to
93b8e11
Compare
chalasr
approved these changes
Sep 29, 2022
fabpot
approved these changes
Oct 1, 2022
|
Thank you @dunglas. |
fabpot
added a commit
that referenced
this pull request
Oct 1, 2022
This PR was squashed before being merged into the 6.2 branch. Discussion ---------- [Validator] File: add option to check extension | Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | no | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | n/a | License | MIT | Doc PR | todo This patch adds an `extensions` option to the `File` constraint as an alternative to `mimeTypes` which checks the mime type of the file, its extension, and the consistency between them. I have a use case where I want to assert that: 1. the file is of a given mime type 2. the file has an extension, the extension is in the allow list, and the extension corresponds with the actual mime type of the content I added a new `extension` option to the `File` constraint to do so. Usage: ```php #[File(extensions: 'jpg')] // image.jpg is allowed, image.jpeg isn't, allowed mime types are autodetected, the content of the file is automatically checked #[File(extensions: ['xml' => ['text/xml', 'application/xml'], 'txt'])] // XML files are allowed as long as the extension is .XML, .txt files are allowed if their mime type is text (allowed mime type are auto-detected) ``` Commits ------- 1613e55 [Validator] File: add option to check extension
93b8e11 to
1613e55
Compare
fabpot
added a commit
that referenced
this pull request
Oct 20, 2022
… (dunglas) This PR was squashed before being merged into the 6.2 branch. Discussion ---------- Validator: fix FileValidator when value is an UploadedFile | Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | yes | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | n/a| License | MIT | Doc PR | n/a The code I introduced in #47710 is currently broken if the file to validate is a `UploadedFile` instance, as we must check the original extension of the file submitted by the client, not the one (that doesn't exist) of the temporary file created on the server by PHP. This patch fixes the issue. Commits ------- e24ef9d Validator: fix FileValidator when value is an UploadedFile
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch adds an
extensionsoption to theFileconstraint as an alternative tomimeTypeswhich checks the mime type of the file, its extension, and the consistency between them.I have a use case where I want to assert that:
I added a new
extensionoption to theFileconstraint to do so.Usage: