ZF-4280: Zend_Form_Element_File 'destination' property leaks in the HTML after form validation

Issue Type: Bug Created: 2008-09-13T04:49:15.000+0000 Last Updated: 2008-09-23T11:49:21.000+0000 Status: Resolved Fix version(s): Reporter: Loic Bistuer (loic.bistuer) Assignee: Thomas Weidner (thomas) Tags: - Zend_Form

Related issues: - ZF-4314

Attachments: - demo.php


I found out that when a form that contains a Zend_Form_Element_File goes through validation (isValid method) its destination property makes it to the 'value' attribute of the rendered tag.

Example of resulting output:

I haven't investigated more than that since I use my own Form_Element_File element which doesn't have this issue.

I reckon it's kind of a security issue since we don't want to expose this information to the outside world.

I'm not sure how JIRA renders code so I attached a PHP file which hopefully helps at reproducing the bug.


Posted by Thomas Weidner (thomas) on 2008-09-20T15:20:06.000+0000

There is no destination property in the file element. I expect that by giving an unknown property, you are simply setting the value of the element. But value should be empty as this attribute does not exist for files. It can hold the file as soon as it's uploaded. So it's not a security issue.

Setting a destination directory does only work when you use setDestination().

Posted by Loic Bistuer (loic.bistuer) on 2008-09-20T17:04:29.000+0000

There is no destination property, but as you might know Zend_Form_Element_File inherits from Zend_Form_Element which automatically calls in Zend_Form_Element::setOptions the methods that start with "set"; this according to the array given as parameter.

In the PHP file that I attached to this issue setDestination is called by setOptions just as expected. The only problem is that, as of ZF 1.6, the value attribute of the resulting tag ends up being set to this destination.

Posted by Thomas Weidner (thomas) on 2008-09-21T02:01:07.000+0000

I see... the problem seems the call of isValid with the $_POST array. It automatically sets the elements destination filename as value of the file element.

I have to wait for Matthew as I need his intentions for setting the value even if there is no value attribute in HTTP for the file input. As soon as I have all informations I can fix it.

Posted by Thomas Weidner (thomas) on 2008-09-23T11:49:21.000+0000

Both components have been changed. You can get the filename with the new method getFileName in form element

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.