From 8f23d30e1b9cc7fd71ceb31654074df32611b7d0 Mon Sep 17 00:00:00 2001 From: Rob Allen Date: Thu, 11 Sep 2014 16:48:04 +0100 Subject: [PATCH 1/2] Use file_exists to check for an uploaded file. It turns out that stream_resolve_include_path doesn't work for a default Windows install where upload_tmp_dir is set to C:\Windows\Temp. I'm unclear if this is intended PHP behaviour or not, but the upload file validator should not be checking for a file of the same name on the include path regardless. --- src/File/UploadFile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/File/UploadFile.php b/src/File/UploadFile.php index 604092859..8393dfe0f 100644 --- a/src/File/UploadFile.php +++ b/src/File/UploadFile.php @@ -74,7 +74,7 @@ public function isValid($value) switch ($error) { case UPLOAD_ERR_OK: - if (empty($file) || false === stream_resolve_include_path($file)) { + if (empty($file) || false === file_exists($file)) { $this->error(self::FILE_NOT_FOUND); } elseif (! is_uploaded_file($file)) { $this->error(self::ATTACK); From 49847e2a26b3faa199b9153bc9ba4f9299d643e0 Mon Sep 17 00:00:00 2001 From: Rob Allen Date: Mon, 15 Sep 2014 15:49:47 +0100 Subject: [PATCH 2/2] Use is_file() rather than file_exists(). --- src/File/UploadFile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/File/UploadFile.php b/src/File/UploadFile.php index 8393dfe0f..4371c12bb 100644 --- a/src/File/UploadFile.php +++ b/src/File/UploadFile.php @@ -74,7 +74,7 @@ public function isValid($value) switch ($error) { case UPLOAD_ERR_OK: - if (empty($file) || false === file_exists($file)) { + if (empty($file) || false === is_file($file)) { $this->error(self::FILE_NOT_FOUND); } elseif (! is_uploaded_file($file)) { $this->error(self::ATTACK);