Issue Type: Bug Created: 2008-09-13T04:49:15.000+0000 Last Updated: 2008-09-23T11:49:21.000+0000 Status: Resolved Fix version(s): Reporter: Loic Bistuer (loic.bistuer) Assignee: Thomas Weidner (thomas) Tags: - Zend_Form
Related issues: - ZF-4314
Attachments: - demo.php
I found out that when a form that contains a Zend_Form_Element_File goes through validation (isValid method) its destination property makes it to the 'value' attribute of the rendered tag.
Example of resulting output:
I haven't investigated more than that since I use my own Form_Element_File element which doesn't have this issue.
I reckon it's kind of a security issue since we don't want to expose this information to the outside world.
I'm not sure how JIRA renders code so I attached a PHP file which hopefully helps at reproducing the bug.
Posted by Thomas Weidner (thomas) on 2008-09-20T15:20:06.000+0000
There is no destination property in the file element. I expect that by giving an unknown property, you are simply setting the value of the element. But value should be empty as this attribute does not exist for files. It can hold the file as soon as it's uploaded. So it's not a security issue.
Setting a destination directory does only work when you use setDestination().
Posted by Loic Bistuer (loic.bistuer) on 2008-09-20T17:04:29.000+0000
There is no destination property, but as you might know Zend_Form_Element_File inherits from Zend_Form_Element which automatically calls in Zend_Form_Element::setOptions the methods that start with "set"; this according to the array given as parameter.
In the PHP file that I attached to this issue setDestination is called by setOptions just as expected. The only problem is that, as of ZF 1.6, the value attribute of the resulting tag ends up being set to this destination.
Posted by Thomas Weidner (thomas) on 2008-09-21T02:01:07.000+0000
I see... the problem seems the call of isValid with the $_POST array. It automatically sets the elements destination filename as value of the file element.
I have to wait for Matthew as I need his intentions for setting the value even if there is no value attribute in HTTP for the file input. As soon as I have all informations I can fix it.
Posted by Thomas Weidner (thomas) on 2008-09-23T11:49:21.000+0000
Both components have been changed. You can get the filename with the new method getFileName in form element
Have you found an issue?
See the Overview section for more details.