File Upload Plugin v6.0 Security Released
Date: Wed, Jun 2nd 2010, 16:49 Author: nick Views: 1166 Comments: 4 share
Please Support:
CakePHP File Upload Plugin
Info:
- Version: 6.1.1
- Requirements: CakePHP 1.x, PHP
- Docs: CakePHP File Upload Plugin API
- Article: CakePHP File Upload Plugin Discussion and Examples
Get it:
Download Now
- svn co http://svn.github.com/webtechnick/CakePHP-FileUpload-Plugin file_upload
What's new in 6.0
FileUploadPlugin v6.0 is a security release rather than a features release. There are two major changes that you should be aware of.
First, a bug fix -- if a fileNameCallback function returns false the upload will be halted as documented.
Second, I've changed the way the plugin validates a file being uploaded. Previously the uploader only checks the mime type of a file being uploaded. Now the uploader checks the extension as well as the mime type. Both must match or a validation error occurs and the upload halted. This fixes a potential hole that would allow an attacker to alter the mime type of a file to pass in a malicious file with its extension intact. This is an issue as most servers decide how to execute said file by its extension (not mime type).
This new change required a change in how the allowedTypes array is constructed. Previously, allowedTypes was a single layer array full of mime types. Now its a multi dimensional array with extension as its key and their linked mime types as an array.
Some Examples
Example Setting With a Controller:
- //validate only image/jpeg and image/pjpeg mime types with ext .jpg
- //validate only image/png mime type file with ext .png
- //validate all MIME types for ext .gif
- //validate all MIME types for ext .swf
- //validate only application/pdf for ext .pdf
- 'gif',
- 'swf',
- ));
Sample In a Behavior
- //validate only image/jpeg and image/pjpeg mime types with ext .jpg
- //validate only image/png mime type file with ext .png
- //validate all MIME types for ext .gif
- //validate all MIME types for ext .swf
- //validate only application/pdf for ext .pdf
- 'gif',
- 'swf',
- )
- )
- );
The default types are the same:
- ),
Included in the newest release is the Migration Guide from 5.0 to 6.0. I encourage you to read over that document as well.
Enjoy the changes,
Nick
FileUpload plugin and cake13
class QuestionAttachment extends AppModel {
var $name = 'QuestionAttachment';
var $actsAs = array(
'FileUpload.FileUpload' => array(
'uploadDir' => 'files/questions',
'fields' => array('name' => 'name', 'type' => 'type', 'size' => 'size'),
'allowedTypes' => array('pdf' => array('application/pdf')),
'required' => false, //default is false, if true a validation error would occur if a file wsan't uploaded.
'maxFileSize' => '10000', //bytes OR false to turn off maxFileSize (default false)
'unique' => false, //filenames will overwrite existing files of the same name. (default true)
'fileNameFunction' => 'sha1' //execute the Sha1 function on a filename before saving it (default false)
)
);
var $belongsTo = array(
'Question' => array(
'className' => 'Question',
'foreignKey' => 'question_id',
'conditions' => '',
'fields' => '',
'order' => ''
)
);
}
still, im getting message:
Error: The Behavior file app/models/behaviors/file_upload.file_upload.php can not be found or does not exist.
Error: Create the class below in file: app/models/behaviors/file_upload.file_upload.php
class FileUpload.FileUploadBehavior extends ModelBehavior {
}
?>
Notice: If you want to customize this error message, create app/views/errors/missing_behavior_file.ctp
what am i doing wrong ?
FileUpload plugin and cake13
Indeed file_upload is the name of the plugin
Anyway, hope that helps,
Nick
Great... but.
If I go in and delete a record, the record in the upload table, along with the file itself, are all deleted - which is exactly what it's meant to do.
But if I go in and replace the file that is uploaded, the record in the upload table gets updated, and the new file is uploaded to the server, but the old file doesn't get deleted like it should.
Any ideas? Thank you.