Issues

ZF-6021: Zend_Form_Element_File render wrong errorMessage when unserialized

Issue Type: Bug Created: 2009-03-13T07:42:45.000+0000 Last Updated: 2009-11-13T09:39:01.000+0000 Status: Resolved Fix version(s): - 1.10.0 (27/Jan/10)

Reporter: Ing. Jitka Darbujanova (jitka_sunny) Assignee: Thomas Weidner (thomas) Tags: - Zend_Form

Related issues: Attachments:

Description

I put whole serialized form into session after !isValid, make redirect to "show"action and there check for form in session to render it with error messages populated. When there is Zend_Form_Element_File in form and validation is incorrect ... see comment in code below:

public function showInsertAction(){ .... $sess = new Zend_Session_Namespace('Model_BLL_Forms_Prispevek'); $sform = unserialize($sess->form); if (!empty($sform)) { $this->view->form = $sform; //error message is incorrect after unserialize (The file 'myFileEl' was illegal uploaded, possible attack instead of "false extension")

     unset($sess->form);
    }

... } public function insertAction(){ ... if (!@$form->isValid($this->_request->getPost())) { $form->populate($this->_request->getPost()); $sess->form = serialize($form); $onlyForTry = $form->render(); // error message is correct, but this row is only for check,

        return $this->_helper->redirector->setGoto('show-insert', 'myCon', 'admin');
    }

... }

Comments

Posted by Thomas Weidner (thomas) on 2009-11-12T12:51:57.000+0000

Note that serializing a temporary fileupload is not possible. PHP itself expects in this case a "attack" as the upload was unintentionally broken (by serializing the file).

When you want to serialize only the message, then you should not serialize the whole form, but only the error message.

Something like $form->getErrorMessages() or similar.

Posted by Thomas Weidner (thomas) on 2009-11-13T09:38:58.000+0000

Closing as non-issue

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts