Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 69475d0

Browse filesBrowse files
author
Ana Cicconi
committed
Adding a caution to the getUploadRootDir() method
| Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | #4177 [Doctrine] Security issue in handling file uploads with Doctrine
1 parent 12ed2e6 commit 69475d0
Copy full SHA for 69475d0

File tree

Expand file treeCollapse file tree

1 file changed

+7
-0
lines changed
Filter options
Expand file treeCollapse file tree

1 file changed

+7
-0
lines changed

‎cookbook/doctrine/file_uploads.rst

Copy file name to clipboardExpand all lines: cookbook/doctrine/file_uploads.rst
+7Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,13 @@ file.
9999
If you're using annotations to specify your validation rules (as shown
100100
in this example), be sure that you've enabled validation by annotation
101101
(see :ref:`validation configuration <book-validation-configuration>`).
102+
103+
.. caution::
104+
105+
If you use the getUploadRootDir() method, be aware that this will save
106+
the file inside the document root, which can be accessed by everyone.
107+
Consider placing it out of the document root and adding custom viewing
108+
logic when you need to secure the files.
102109

103110
To handle the actual file upload in the form, use a "virtual" ``file`` field.
104111
For example, if you're building your form directly in a controller, it might

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.