Zend framework file upload illegally uploaded

2019-02-18 20:45发布

问题:

I'm trying to upload files within a normal form with other text fields.

So far, the file gets uploaded to a temp folder but not to my destinationfolder, I always get this error "File 'upload' was illegally uploaded. This could be a possible attack".

I've checked the filename of the tempfile and that has the correct url in the correct folder.

What am I missing here.

        $form = new Zend_Form();
        $form->setAttrib('enctype', 'multipart/form-data');
        $form->setMethod('post')

             ->addElement('file', 'pdf', array(
                                            'size' => '40',
                                            'label' => 'Select File',
                                            'required' => true,
                                            'validators' => array(
                                                            'Size' => array('min' => 20, 'max' => 1000000)
                                                            )
                                            )
                        )

            ->addElement('submit', 'Save')
        ;

        if ( $this->getRequest()->isPost() ) {
            if ( $form->isValid($this->getRequest()->getParams()) ) {
                $id = $form->getValue('name');

                $upload = new Zend_File_Transfer_Adapter_Http();
                $uploadDestination = APPLICATION_PATH . '/../public/uploads/'.$id;

                if(!is_dir($uploadDestination)){
                    mkdir($uploadDestination, 0777, true);
                }

                $upload->setDestination($uploadDestination);
                echo $upload->getFileName();

                if($upload->receive('pdf'))
                {
                    echo '<pre>';
                    print_r($form->getValues());
                    die();
                }
                else
                {
                    $messages = $upload->getMessages();
                    echo implode("\n", $messages);
                    die();
                }

$upload->receive('pdf'); is what's not working properly.

回答1:

think things may have improved in Zend Framework since this question was asked.

The code below shows a working example of a robust file validation, including customised error messages.

The key point is that the Zend_Form::isValid() method is all you need, you don't need to validate the file transfer separately

Your form definition, note that the file validators are added as if they were normal validators

class Jogs_Form_ImportForm extends Zend_Form
{
    public function init()
    {
        $this->setAttrib('enctype', 'multipart/form-data');        
        $this->setAttrib( 'id', 'form-import' );

        $importAction = $this->addElement('radio', 'importAction', array(
            'multiOptions' => array(
                'components' => 'Import components',
                'layouts' => 'Import layouts',
                'layoutComponents' => 'Import layout components',
            ),
            'required'   => true,
            'label'      => 'Import Type:',
        ));

        $upload = $this->addElement( 'file', 'import-file', array( 
            'label' => 'Text (tab delimited) file (.txt)',
            'validators' => array(
            'Size'  => array('max' => 10*1024*1024),
            'Extension'  => array('txt', 'messages' => array(
                 Zend_Validate_File_Extension::FALSE_EXTENSION 
                 => 'file must end with ".txt"' ) ),
            'MimeType' => array( 'text/plain', 'messages' => array( 
                 Zend_Validate_File_MimeType::FALSE_TYPE 
                 => 'file must be text (tab delimited)' ) ),            
            )
        ) );

        $go = $this->addElement('submit', 'go', array(
            'required' => false,
            'ignore'   => true,
            'label'    => 'Go',
        ));
    }
}

your controller class

class ImportController extends Zend_Controller_Action
{
    public function indexAction(){
        $form = new Polypipe_Form_ImportForm();
        $this->view->form = $form;

        if ( 
        $this->getRequest()->isPost() 
        && 
        $form->isValid( $this->getRequest()->getPost() ) 
        ){
            $data = $form->getValues();
            // get the file info
            $ft = $form->getElement('import-file')->getTransferAdapter();
            $fileInfo = $ft->getFileinfo();
        }

    }

}


回答2:

I think you might have solved the problem... so i am just giving answer so that anyone who faces this error can find the solution via this valuable post... I faced many difficulties to solve this problem.... Hope it helps someone...

Here the problem is that isValid method is called twice.. once when you call

if ( $form->isValid($this->getRequest()->getParams()) ) {
}

and second in the receive method.. so if you keep the below code outside $form->isValid method than your file will be uploaded..

$upload = new Zend_File_Transfer_Adapter_Http();
$uploadDestination = APPLICATION_PATH . '/../public/uploads/'.$id;

if(!is_dir($uploadDestination)){
    mkdir($uploadDestination, 0777, true);
}

$upload->setDestination($uploadDestination);
echo $upload->getFileName();

if($upload->receive('pdf'))
{
    echo '<pre>';
    print_r($form->getValues());
    die();
}
else
{
    $messages = $upload->getMessages();
    echo implode("\n", $messages);
    die();
}

but still you will get the error when you validate your other elements but your file will be uploaded...



回答3:

I know it's been a couple years, but here is the correct answer before you pull out your hair:

$form->yourElement->setValueDisabled( true );

"Set if the file will be uploaded when getting the value. This defaults to false which will force receive() when calling getValues()."



回答4:

Try this:

   if ( $this->getRequest()->isPost() ) {
        if ( $form->isValid($this->getRequest()->getParams()) ) {
            $id = $form->getValue('name');

        $upload = new Zend_File_Transfer_Adapter_Http();
        $uploadDestination = APPLICATION_PATH . '/../public/uploads/'.$id;

        if(!is_dir($uploadDestination)){
            mkdir($uploadDestination, 0777, true);
        }

        $upload->setDestination($uploadDestination);
        echo $upload->getFileName();

        if($upload->receive('pdf'))
        {
            echo '<pre>';
            print_r($form->getValues());
            die();
        }
        else
        {
            $messages = $upload->getMessages();
            echo implode("\n", $messages);
            die();
        }
    }
}

        $form = new Zend_Form();
        $form->setAttrib('enctype', 'multipart/form-data');
        $form->setMethod('post')

          ->addElement('file', 'pdf', array(
                                    'size' => '40',
                                    'label' => 'Select File',
                                    'required' => true,
                                    'validators' => array(
                                                    'Size' => array('min' => 20, 'max' => 1000000)
                                                    )
                                    )
                )

          ->addElement('submit', 'Save');