分块上传验证:"The file could not be uploaded."
Chunked upload validation: "The file could not be uploaded."
我目前正在尝试让 Symfonys Validator Component 处理上传文件的验证,这对普通文件来说工作得很好。但是,如果文件超过一定大小,它们将作为块上传,然后合并并验证。两种上传方式都是通过同一个函数验证的,基本上就是这样:
public function validateFile(UploadedFile $uploadedFile): ConstraintViolationList {
return $this->validator->validate(
$uploadedFile,
[
new FileConstraints([
'maxSize' => '1000M',
]),
]
);
}
但不知何故,合并的上传触发了违规行为,不幸的是,这对我来说非常无用:
Symfony\Component\Validator\ConstraintViolation {#658 ▼
-message: "The file could not be uploaded."
-messageTemplate: "The file could not be uploaded."
-parameters: []
-plural: null
-root: Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▶}
-propertyPath: ""
-invalidValue: Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▶}
-constraint: Symfony\Component\Validator\Constraints\File {#649 ▶}
-code: "0"
-cause: null
}
日志很干净,没有错误,只有关于匹配路由和弃用内容的信息以及关于身份验证令牌等的调试。
如果我 dump'n'die UploadedObjects,唯一的区别是分块和合并的对象有 executable: true 并且它没有存储在 tmp 中。
这里有人可以向我解释导致这种违规行为的原因以及必须采取哪些措施来防止这种违规行为,或者向我指出一些与此相关的文档吗?
编辑:块的上传和合并似乎工作得很好 - 可以查看上传的图像,可以读取文本 docs/pdfs 等。还使用了所有其他代码很长一段时间现在不同验证,只是想让一切变得更专业,并通过使用现有的验证器基础设施进行排序。要提供有关已上传对象的其他信息,这里是 dd 输出,从常规文件上传开始:
Symfony\Component\HttpFoundation\File\UploadedFile {#20 ▼
-test: false
-originalName: "foo.jpg"
-mimeType: "image/jpeg"
-error: 0
path: "/tmp"
filename: "phpEu7Xmw"
basename: "phpEu7Xmw"
pathname: "/tmp/phpEu7Xmw"
extension: ""
realPath: "/tmp/phpEu7Xmw"
aTime: 2021-05-27 10:47:56
mTime: 2021-05-27 10:47:54
cTime: 2021-05-27 10:47:54
inode: 1048589
size: 539474
perms: 0100600
owner: 1000
group: 1000
type: "file"
writable: true
readable: true
executable: false
file: true
dir: false
link: false
}
分块上传:
Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▼
-test: false
-originalName: "foo.jpg"
-mimeType: "image/jpeg"
-error: 0
path: "/home/vagrant/MyProject/var/uploads"
filename: "foo.jpg"
basename: "foo.jpg"
pathname: "/home/vagrant/MyProject/var/uploads/foo.jpg"
extension: "jpg"
realPath: "/home/vagrant/MyProject/var/uploads/foo.jpg"
aTime: 2021-05-27 10:43:58
mTime: 2021-05-27 10:43:58
cTime: 2021-05-27 10:43:58
inode: 8154
size: 539474
perms: 0100777
owner: 1000
group: 1000
type: "file"
writable: true
readable: true
executable: true
file: true
dir: false
link: false
}
new Count([
'min' => 1,
'minMessage' => 'Please select a file to upload'
]),
我认为 NotBlank 约束是这里的问题,我认为不应该在 UploadedFile 上使用它。
尝试仅使用 File 和 Count 约束条件(以确保至少附加 1 个文件)。
当File 约束接收到一个UploadedFile 实例时,它会触发对isValid, which in turn calls is_uploaded_file:
的调用
Returns true if the file named by filename was uploaded via HTTP POST.
This is useful to help ensure that a malicious user hasn't tried to
trick the script into working on files upon which it should not be
working
将块重新组合成新文件后,此检查不再通过且约束失败。
您可以使用最后一个文件片段重新组合原始文件,或者您可以从函数中 return File。 File 不受该检查的约束,约束将与 UploadedFile.
一起接受它
以编程方式创建 UploadedFile 对象时,请使用 'test mode'。我将它与 VichUploaderBundle 一起使用,并且记录了测试模式的使用 here.
我目前正在尝试让 Symfonys Validator Component 处理上传文件的验证,这对普通文件来说工作得很好。但是,如果文件超过一定大小,它们将作为块上传,然后合并并验证。两种上传方式都是通过同一个函数验证的,基本上就是这样:
public function validateFile(UploadedFile $uploadedFile): ConstraintViolationList {
return $this->validator->validate(
$uploadedFile,
[
new FileConstraints([
'maxSize' => '1000M',
]),
]
);
}
但不知何故,合并的上传触发了违规行为,不幸的是,这对我来说非常无用:
Symfony\Component\Validator\ConstraintViolation {#658 ▼
-message: "The file could not be uploaded."
-messageTemplate: "The file could not be uploaded."
-parameters: []
-plural: null
-root: Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▶}
-propertyPath: ""
-invalidValue: Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▶}
-constraint: Symfony\Component\Validator\Constraints\File {#649 ▶}
-code: "0"
-cause: null
}
日志很干净,没有错误,只有关于匹配路由和弃用内容的信息以及关于身份验证令牌等的调试。
如果我 dump'n'die UploadedObjects,唯一的区别是分块和合并的对象有 executable: true 并且它没有存储在 tmp 中。
这里有人可以向我解释导致这种违规行为的原因以及必须采取哪些措施来防止这种违规行为,或者向我指出一些与此相关的文档吗?
编辑:块的上传和合并似乎工作得很好 - 可以查看上传的图像,可以读取文本 docs/pdfs 等。还使用了所有其他代码很长一段时间现在不同验证,只是想让一切变得更专业,并通过使用现有的验证器基础设施进行排序。要提供有关已上传对象的其他信息,这里是 dd 输出,从常规文件上传开始:
Symfony\Component\HttpFoundation\File\UploadedFile {#20 ▼
-test: false
-originalName: "foo.jpg"
-mimeType: "image/jpeg"
-error: 0
path: "/tmp"
filename: "phpEu7Xmw"
basename: "phpEu7Xmw"
pathname: "/tmp/phpEu7Xmw"
extension: ""
realPath: "/tmp/phpEu7Xmw"
aTime: 2021-05-27 10:47:56
mTime: 2021-05-27 10:47:54
cTime: 2021-05-27 10:47:54
inode: 1048589
size: 539474
perms: 0100600
owner: 1000
group: 1000
type: "file"
writable: true
readable: true
executable: false
file: true
dir: false
link: false
}
分块上传:
Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▼
-test: false
-originalName: "foo.jpg"
-mimeType: "image/jpeg"
-error: 0
path: "/home/vagrant/MyProject/var/uploads"
filename: "foo.jpg"
basename: "foo.jpg"
pathname: "/home/vagrant/MyProject/var/uploads/foo.jpg"
extension: "jpg"
realPath: "/home/vagrant/MyProject/var/uploads/foo.jpg"
aTime: 2021-05-27 10:43:58
mTime: 2021-05-27 10:43:58
cTime: 2021-05-27 10:43:58
inode: 8154
size: 539474
perms: 0100777
owner: 1000
group: 1000
type: "file"
writable: true
readable: true
executable: true
file: true
dir: false
link: false
}
new Count([
'min' => 1,
'minMessage' => 'Please select a file to upload'
]),
我认为 NotBlank 约束是这里的问题,我认为不应该在 UploadedFile 上使用它。
尝试仅使用 File 和 Count 约束条件(以确保至少附加 1 个文件)。
当File 约束接收到一个UploadedFile 实例时,它会触发对isValid, which in turn calls is_uploaded_file:
Returns true if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working
将块重新组合成新文件后,此检查不再通过且约束失败。
您可以使用最后一个文件片段重新组合原始文件,或者您可以从函数中 return File。 File 不受该检查的约束,约束将与 UploadedFile.
以编程方式创建 UploadedFile 对象时,请使用 'test mode'。我将它与 VichUploaderBundle 一起使用,并且记录了测试模式的使用 here.