ZF-4969: Why move_uploaded_file() in Zend_File_Transfer_Adapter_Http? Possible filename collisions.

Issue Type: Improvement Created: 2008-11-17T21:04:49.000+0000 Last Updated: 2011-07-28T20:16:53.000+0000 Status: Resolved Fix version(s): - 1.8.0 (30/Apr/09)

Reporter: Marc Hodgins (mjh_ca) Assignee: Thomas Weidner (thomas) Tags: - Zend_File_Transfer

Related issues: Attachments:


Zend_File_Transfer_Adapter_Http defaults to storing file uploads in the system temp folder. And, if I'm not mistaken, it renames all incoming files to the filename provided (indirectly) from $_FILES['userfile']['name'], which is the "original" name of the file on the client machine (as provided by the browser).

Why is it doing file renaming at all (unless asked to do so by the a filter)? Isn't this introducing the potential for file naming collisions if two users simultaneously upload an identically named file?

In many use cases, an upload file is to be immediately processed (i.e. resize an image) and then moved to another server (i.e. on a content delivery network), so adding the extra overhead of running move_uploaded_file() seems unnecessary. Why rename the file at all by default, and why rename it to a filename that is not be guaranteed to be unique?



Posted by Thomas Weidner (thomas) on 2008-11-18T00:00:55.000+0000

You can not edit the temporary file directly. This will result in an attacker exception from php when the file is processed.

Therefor we have to move the file to a temporary location before applying filters. But many users don't set a filter.

So we now have the problem that, if we would rename the file to a "unique" self-created name, the file upload would be corrupted, as it would not be processed further, after it has left the php temp path. Therefor we accept the possibility to have filename collisions, which you have also when you do uploading manually with php.

Keep in mind that you can not process the file as long as it has not been moved from php's temp location to a working location.

The reason is security and this comes to your second question: php works internally with an hash algorithm and can detect file intrusions and other attacks. But this works only when you call is_uploaded_file/move_uploaded_file. Otherwise it would be possible to intrude the system by php's temp path when you do file uploading.

And the question is also: How often does it happen that users upload the same file in the same millisecond. One would be processed, and the other would get an "File upload corrupted... Please try again".

Posted by Matthew Weier O'Phinney (matthew) on 2008-11-20T10:36:59.000+0000

Can be solved with userland filters, and issue is not specific to ZF.

Posted by Thomas Weidner (thomas) on 2008-11-20T11:08:06.000+0000

We will implement a partitial solution. Therefor we reopen this issue but not as bug but as improvement.

But this does only work when you added the rename filter. When not, there is no way for a solution.

Posted by Thomas Weidner (thomas) on 2009-01-25T06:22:37.000+0000

An attached rename filter will now be taken in account as with r13799. The file will not be moved twice anymore.

Posted by Alex (lexor) on 2011-06-16T11:48:45.000+0000

I've got an issue with multifile upload. I want to add as many rename filters as files I have, so I do it by specifying different options (since new files get new unique names) to rename filter. The documentation says: "Note that even though setting the same filter multiple times is allowed, doing so can lead to issues when using different options for the same filter."

You say it's not a bug, but there is simply NO NORMAL WAY to upload many files and rename them. I spent hours trying to understand if it is possible, but ended up with a desire to throw away the mechanism provided with ZF. So, to be more concrete, here is the example.

I have multifile form field with base name details_image, and it is set to 3 files. Before uploading I do this

$upload = new Zend_File_Transfer_Adapter_Http(); $cnt = 0; foreach ($files as $file) { $upload->addFilter('Rename', array('target' => '/some/unique/file/name.txt'), 'details_image_' . $cnt . '_'); $cnt++; }

It doesn't work for multifile, but for simple only.

Posted by Thomas Weidner (thomas) on 2011-07-28T20:16:53.000+0000

Closing as resolved as the original issue was already cleared

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.