FIX: Can't validate uploaded file for tmp folder mismatching

[baranada]

Description (*)

when upload file, php $_FILE variable returns destination path of symlinked tmp folder.
but sys_get_temp_dir() function only return target path of symlinked folder.
this mismatch made it can't pass the validation. this commit validate on both target path and destination path if symlink found.
I couldn't find php $_FILE source reference, so I put both path on validation.

Related Pull Requests

Fixed Issues (if relevant)

1. Fixes Invalid parameter given. A valid $fileId[tmp_name] is expected #25835: Invalid parameter given. A valid $fileId[tmp_name] is expected

Manual testing scenarios (*)

1. set default magento php environment sys_temp_dir ini value to any folder you made symlink to other folder.
2. Go to Stores - Settings - Configuration.
3. Open tab Catalog - Catalog. Fieldset "Product Image Placeholders".
4. Select the placeholder image for field "Base"
5. Click to button "Save"
6. You can try another setting with type "file"
7. check if validation passes or below message will pop.
   "Invalid parameter given. A valid $fileId[tmp_name] is expected"

Questions or comments

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• All automated tests passed successfully (all builds are green)

[m2-assistant]

Hi @baranada. Thank you for your contribution
Here is some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento give me test instance - deploy test instance based on PR changes
• @magento give me 2.4-develop instance - deploy vanilla Magento instance

For more details, please, review the Magento Contributor Guide documentation.

[lenaorobei]

Closing this PR since the issue can be resolved by configuring sys_temp_dir PHP setting.

[m2-assistant]

Hi @baranada, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.

[hostep]

@baranada: changes look good at first sight, but don't work in all cases.

For example, on macOS, when executing is_link('/var/tmp/') it will not work properly, because on macOS, the symlink is on the /var/ directory and not on /var/tmp/.

Here are suggested changes to make it work in all cases I think:

$sysTmpFolder = sys_get_temp_dir();
$sysTmpFolderRealPath = realpath($sysTmpFolder);

$allowedFolders = [
    $sysTmpFolder,
    $sysTmpFolderRealPath,
    $this->directoryList->getPath(DirectoryList::MEDIA),
    $this->directoryList->getPath(DirectoryList::VAR_DIR),
    $this->directoryList->getPath(DirectoryList::TMP),
    $this->directoryList->getPath(DirectoryList::UPLOAD),
];

I'm reopening this PR based on the fact that I believe there is an actual improvement we can make here.

[baranada]

@baranada: changes look good at first sight, but don't work in all cases.

For example, on macOS, when executing is_link('/var/tmp/') it will not work properly, because on macOS, the symlink is on the /var/ directory and not on /var/tmp/.

Here are suggested changes to make it work in all cases I think:

$sysTmpFolder = sys_get_temp_dir();
$sysTmpFolderRealPath = realpath($sysTmpFolder);

$allowedFolders = [
    $sysTmpFolder,
    $sysTmpFolderRealPath,
    $this->directoryList->getPath(DirectoryList::MEDIA),
    $this->directoryList->getPath(DirectoryList::VAR_DIR),
    $this->directoryList->getPath(DirectoryList::TMP),
    $this->directoryList->getPath(DirectoryList::UPLOAD),
];

I'm reopening this PR based on the fact that I believe there is an actual improvement we can make here.

@hostep, thank you for your reply.
I found that if you use realpath function, we don't have to put both paths in the validation folder.
we just pass sys_get_temp_dir results to realpath, then it will pass the validation, symlink or not.
I will apply this changes and make unit test.

[hostep]

@baranada: to be safe I would check on both paths, I'm not familiar enough with how the path in the $_FILES global are being set in all kinds of different environments.

I think we are probably most safe when checking for both the symlinked and the realpath directories.

[hostep]

Hi @baranada: are you still able/willing to put some extra time into this? Thanks!

[baranada]

I couldn't make test code for this.
I pushed the code with your suggestion. it was wrote back on 21 days ago. so github timeline is tangled.
if it's necessary to write test code, then I hope someone to help on this.
Thank you for following up.

[hostep]

@lenaorobei: can you or somebody else please review this, that would be appreciated, thanks! 🙂

[lenaorobei]

@magento run all tests

[lenaorobei]

The fix looks good. @baranada, could you please write simple integration test to cover this case?

[baranada]

The fix looks good. @baranada, could you please write simple integration test to cover this case?

Since I am not familiar with magento2 test code, I will try and come back to you next week.

[ihor-sviziev]

Moving this PR to corresponding status as requested in #27352 (review)

[engcom-Golf]

@magento run all tests

[engcom-Golf]

Hi, @baranada!
Please review test failures and fix them for the further processing of PR.
Thank you!

[m2-assistant]

Hi @baranada, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.

[m2-assistant]

Hi @baranada. Thank you for your contribution
Here is some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento give me test instance - deploy test instance based on PR changes
• @magento give me 2.4-develop instance - deploy vanilla Magento instance

❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names. Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE,
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests

You can find more information about the builds here

ℹ️ Please run only needed test builds instead of all when developing. Please run all test builds before sending your PR for review.

For more details, please, review the Magento Contributor Guide documentation.

[baranada]

@magento run all tests