[Doctrine] Security issue in handling file uploads with Doctrine

[Mak-Di]

Doc file

protected function getUploadRootDir()
    {
        // the absolute directory path where uploaded
        // documents should be saved
        return __DIR__.'/../../../../web/'.$this->getUploadDir();
    }

I don't think that storing the upload file inside of document root is a good idea.

[stof]

Storing the file in the document root is done on purpose so that it can be accessed by clients.

If your files need to be secured, the logic needs to be different indeed (and then using a controller to access them), but this cookbook entry describes the simple case, not more complex cases

[Mak-Di]

Agree, but maybe it is useful to add a note that storing the upload file inside of document root is not secure because many think that cookbook shows the best practice.

[wouterj]

I'm 👍 for adding a small caution to the article. Something like:

.. caution::

    Be aware that this will save the file inside the document root, which
    can be accessed by everyone. Consider placing it out of the document
    root and adding custom viewing logic when you need to secure the files.

Btw, @Mak-Di, the article is far from a best practice (see also #2346 ). We would be very happy if anyone can turn it into a best practice article :)