Implement multipart/form-data support for PUT, DELETE and PATCH requests.

PHP, and by extension, Symfony does not support multipart/form-data requests when using any request method other than POST. This limits the ability to implement RESTful architectures using Symfony. This is a follow up to Pull Request symfony#849 I made a few years ago, and  addresses concerns brought up by Saldaek at the time.

I have implemented this functionality by manually decoding the php://input stream when the request type is PUT, DELETE or PATCH and the Content-Type header is mutlipart/form-data. The implementation is based on an example by [netcoder at stackoverflow](http://stackoverflow.com/a/9469615).

This is necessary due to an underlying limitation of PHP, as discussed here: https://bugs.php.net/bug.php?id=55815.

This fixes symfony#9226.

__Security Concerns__

The main concern I had while implementing this feature, was working with PHP's assumptions as to what constituted an uploaded file. Since the files that this commit creates are not done so through PHP's usual uploaded file mechanisms, none of the uploaded file functions (such as is_uploaded_file, move_uploaded_file) will work with them. As such, I had to implement a mechanism for recording the uploaded files as they were created, so that Symfony's UploadedFile class could be sure that it was not moving non-uploaded files.

To achieve this, I added a static array to the UploadedFile class called $files. Any uploaded files that are created outside of PHP's normal mechanism can be recorded here. UploadedFile can then check this list to ensure that if is_uploaded_file returns false, that the file being moved is in fact an uploaded file. This results in two changes to UploadedFile: Firstly, the is_uploaded_file check had to be expanded to also check if the file was recorded in UploadedFile::$files. Secondly, the move_uploaded_file needed to be changed to rename.

The change of move_uploaded_file to rename might raise a few red flags, but I do not believe this is a problem. Before rename is called, UploadedFile calls isValid, which checks that the file either is_uploaded_file, or is a member of UploadedFile::$files. Therefore the use of move_uploaded_file is an unnecessary double check (even without these changes).

Fix symfony#9226.

Author: Chekote

src/Symfony/Component/HttpFoundation/File/UploadedFile.php

@@ -26,6 +26,14 @@
  */
 class UploadedFile extends File
 {
+
+    /**
+     * List of files that were uploaded outside of PHP's standard POST multipart/form-data method.
+     *
+     * @var array
+     */
+    public static $files = array();
+
     /**
      * Whether the test mode is activated.
      *
@@ -218,7 +226,7 @@ public function isValid()
     {
         $isOk = $this->error === UPLOAD_ERR_OK;
 
-        return $this->test ? $isOk : $isOk && is_uploaded_file($this->getPathname());
+        return $this->test ? $isOk : $isOk && (is_uploaded_file($this->getPathname()) || in_array($this->getPathname(), self::$files));
     }
 
     /**
@@ -242,7 +250,7 @@ public function move($directory, $name = null)
 
             $target = $this->getTargetFile($directory, $name);
 
-            if (!@move_uploaded_file($this->getPathname(), $target)) {
+            if (!@rename($this->getPathname(), $target)) {
                 $error = error_get_last();
                 throw new FileException(sprintf('Could not move the file "%s" to "%s" (%s)', $this->getPathname(), $target, strip_tags($error['message'])));
             }

src/Symfony/Component/HttpFoundation/Request.php

@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\HttpFoundation;
 
+use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 
 /**
@@ -252,7 +253,8 @@ public function initialize(array $query = array(), array $request = array(), arr
     }
 
     /**
-     * Creates a new request with values from PHP's super globals.
+     * Creates a new request with values from PHP's super globals, or by analyzing php://input content if the
+     * request method is PUT, DELETE or PATCH.
      *
      * @return Request A new request
      *
@@ -262,16 +264,103 @@ public static function createFromGlobals()
     {
         $request = new static($_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER);
 
-        if (0 === strpos($request->headers->get('CONTENT_TYPE'), 'application/x-www-form-urlencoded')
-            && in_array(strtoupper($request->server->get('REQUEST_METHOD', 'GET')), array('PUT', 'DELETE', 'PATCH'))
-        ) {
-            parse_str($request->getContent(), $data);
-            $request->request = new ParameterBag($data);
+        if (in_array(strtoupper($request->server->get('REQUEST_METHOD', 'GET')), array('PUT', 'DELETE', 'PATCH'))) {
+            $contentType = $request->headers->get('CONTENT_TYPE');
+
+            if (0 === strpos($contentType, 'application/x-www-form-urlencoded')) {
+                parse_str($request->getContent(), $data);
+                $request->request = new ParameterBag($data);
+            } else if (0 === strpos($contentType, 'multipart/form-data')) {
+                $request->decodeMultiPartFormData();
+            }
         }
 
         return $request;
     }
 
+    /**
+     * Decodes a multipart/form-data request, and injects the data into the request object. This method is used
+     * whenever a multipart/form-data request is submitted with a PUT, DELETE or PATCH method.
+     *
+     * The files array is structred such that it mimics PHP's $_FILES superglobal, allowing it to be passed on
+     * to the Request constructor.
+     *
+     * This implementation is based on an example by netcoder at http://stackoverflow.com/a/9469615.
+     * 
+     * @param Request   $request    The Request object whos content should be decoded and places into it's files
+     *                              and request properties.
+     */
+    protected function decodeMultiPartFormData() {
+        $files = array();
+        $data = array();
+
+        // Fetch content and determine boundary
+        $rawData = file_get_contents('php://input');
+        $boundary = substr($rawData, 0, strpos($rawData, "\r\n"));
+
+        // Fetch and process each part
+        $parts = array_slice(explode($boundary, $rawData), 1);
+        foreach ($parts as $part) {
+            // If this is the last part, break
+            if ($part == "--\r\n") {
+                break;
+            }
+
+            // Separate content from headers
+            $part = ltrim($part, "\r\n");
+            list($rawHeaders, $content) = explode("\r\n\r\n", $part, 2);
+            $content = substr($content, 0, strlen($content) - 2);
+
+            // Parse the headers list
+            $rawHeaders = explode("\r\n", $rawHeaders);
+            $headers = array();
+            foreach ($rawHeaders as $header) {
+                list($name, $value) = explode(':', $header);
+                $headers[strtolower($name)] = ltrim($value, ' '); 
+            }
+
+            // Parse the Content-Disposition to get the field name, etc.
+            if (isset($headers['content-disposition'])) {
+                $filename = null;
+                preg_match(
+                    '/^form-data; *name="([^"]+)"(; *filename="([^"]+)")?/', 
+                    $headers['content-disposition'], 
+                    $matches
+                );
+
+                $fieldName = $matches[1];
+                $fileName = (isset($matches[3]) ? $matches[3] : null);
+
+                // If we have a file, save it. Otherwise, save the data.
+                if ($fileName !== null) {
+                    $localFileName = tempnam(sys_get_temp_dir(), 'sfy');
+                    file_put_contents($localFileName, $content);
+
+                    $files[$fieldName] = array(
+                        'name' => $fileName,
+                        'type' => $headers['content-type'],
+                        'tmp_name' => $localFileName,
+                        'error' => 0,
+                        'size' => filesize($localFileName)
+                    );
+
+                    // record the file path so that it can be verified as an uploaded file later
+                    UploadedFile::$files[] = $localFileName;
+
+                    // register a shutdown function to cleanup the temporary file
+                    register_shutdown_function(function() {
+                       unlink($localFileName);
+                    });
+                } else {
+                    $data[$fieldName] = $content;
+                }
+            }
+        }
+
+        $this->request = new ParameterBag($data);
+        $this->files = new FileBag($files);
+    }
+
     /**
      * Creates a Request based on a given URI and configuration.
      *