ZF-4280: Zend_Form_Element_File 'destination' property leaks in the HTML after form validation

Description

I found out that when a form that contains a Zend_Form_Element_File goes through validation (isValid method) its destination property makes it to the 'value' attribute of the rendered tag.

Example of resulting output:

I haven't investigated more than that since I use my own Form_Element_File element which doesn't have this issue.

I reckon it's kind of a security issue since we don't want to expose this information to the outside world.

I'm not sure how JIRA renders code so I attached a PHP file which hopefully helps at reproducing the bug.

Comments

There is no destination property in the file element. I expect that by giving an unknown property, you are simply setting the value of the element. But value should be empty as this attribute does not exist for files. It can hold the file as soon as it's uploaded. So it's not a security issue.

Setting a destination directory does only work when you use setDestination().

There is no destination property, but as you might know Zend_Form_Element_File inherits from Zend_Form_Element which automatically calls in Zend_Form_Element::setOptions the methods that start with "set"; this according to the array given as parameter.

In the PHP file that I attached to this issue setDestination is called by setOptions just as expected. The only problem is that, as of ZF 1.6, the value attribute of the resulting tag ends up being set to this destination.

I see... the problem seems the call of isValid with the $_POST array. It automatically sets the elements destination filename as value of the file element.

I have to wait for Matthew as I need his intentions for setting the value even if there is no value attribute in HTTP for the file input. As soon as I have all informations I can fix it.

Both components have been changed. You can get the filename with the new method getFileName in form element