1

The docs only state that it's user-provided input and therefore not to be trusted. That much makes sense since we never trust user input, but in what ways could a malicious user cause damage with this or the other request parameters on an uploaded file?

I ask that I may know when and where this information is safe to use, when it is unsafe, and how I may mitigate the impact when I must at least reference it.

Michael Cordingley
  • 1,485
  • 1
  • 11
  • 23
  • One obvious problem might be sql injection. If you store the name in a database without taking the appropriate precautions then problems could ensue. The unwary developer might not realize that the name is just as susceptible to being changed as any other posted data. I imagine it could also be used in a cross-site scripting attack if the name is ever echo'ed back to the browser without suitable filtering. – Cerad Jul 16 '19 at 17:42
  • Say you try and store the file under that name, by prefixing it with the base path of your upload directory - something like `'/myproject/data/uploads/' . $filename`. Now imagine what path that will actually result in, if I made my client not submit `foo.jpg` as the file name, but `../../index.php` or something like that … – misorude Jul 17 '19 at 09:06
  • SQL injection shouldn't be an issue if you're binding queries and it looks like \Symfony\Component\HttpFoundation\File\File::getName strips down to the base name of the file, so there shouldn't be the ability to escape a path. I think I'm missing something else. – Michael Cordingley Jul 18 '19 at 15:26

0 Answers0