Implement multipart/form-data for PUT, DELETE and PATCH requests.

PHP, and by extension, Symfony does not support multipart/form-data requests when using any request method other than POST. This limits the ability to implement RESTful architectures using Symfony. This is a follow up to Pull Request symfony#849 I made a few years ago, and  addresses concerns brought up by Saldaek at the time.

I have implemented this functionality by manually decoding the php://input stream when the request type is PUT, DELETE or PATCH and the Content-Type header is mutlipart/form-data. The implementation is based on an example by [netcoder at stackoverflow](http://stackoverflow.com/a/9469615).

This is necessary due to an underlying limitation of PHP, as discussed here: https://bugs.php.net/bug.php?id=55815.

This fixes symfony#9226.

__Security Concerns__

The main concern I had while implementing this feature, was working with PHP's assumptions as to what constituted an uploaded file. Since the files that this commit creates are not done so through PHP's usual uploaded file mechanisms, none of the uploaded file functions (such as is_uploaded_file, move_uploaded_file) will work with them. As such, I had to implement a mechanism for recording the uploaded files as they were created, so that Symfony's UploadedFile class could be sure that it was not moving non-uploaded files.

To achieve this, I added a static array to the UploadedFile class called $files. Any uploaded files that are created outside of PHP's normal mechanism can be recorded here. UploadedFile can then check this list to ensure that if is_uploaded_file returns false, that the file being moved is in fact an uploaded file. This results in two changes to UploadedFile: Firstly, the is_uploaded_file check had to be expanded to also check if the file was recorded in UploadedFile::$files. Secondly, the move_uploaded_file needed to be changed to rename.

The change of move_uploaded_file to rename might raise a few red flags, but I do not believe this is a problem. Before rename is called, UploadedFile calls isValid, which checks that the file either is_uploaded_file, or is a member of UploadedFile::$files. Therefore the use of move_uploaded_file is an unnecessary double check (even without these changes).

Fix symfony#9226.

Conflicts:
	src/Symfony/Component/HttpFoundation/Tests/RequestTest.php

Author: Chekote

src/Symfony/Component/HttpFoundation/File/UploadedFile.php

@@ -26,6 +26,13 @@
  */
 class UploadedFile extends File
 {
+    /**
+     * List of files that were uploaded outside of PHP's standard POST multipart/form-data method.
+     *
+     * @var array
+     */
+    public static $files = array();
+
     /**
      * Whether the test mode is activated.
      *
@@ -218,7 +225,7 @@ public function isValid()
     {
         $isOk = $this->error === UPLOAD_ERR_OK;
 
-        return $this->test ? $isOk : $isOk && is_uploaded_file($this->getPathname());
+        return $this->test ? $isOk : $isOk && (is_uploaded_file($this->getPathname()) || in_array($this->getPathname(), self::$files));
     }
 
     /**
@@ -242,7 +249,7 @@ public function move($directory, $name = null)
 
             $target = $this->getTargetFile($directory, $name);
 
-            if (!@move_uploaded_file($this->getPathname(), $target)) {
+            if (!@rename($this->getPathname(), $target)) {
                 $error = error_get_last();
                 throw new FileException(sprintf('Could not move the file "%s" to "%s" (%s)', $this->getPathname(), $target, strip_tags($error['message'])));
             }

src/Symfony/Component/HttpFoundation/Request.php

@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\HttpFoundation;
 
+use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 
 /**
@@ -252,26 +253,126 @@ public function initialize(array $query = array(), array $request = array(), arr
     }
 
     /**
-     * Creates a new request with values from PHP's super globals.
+     * Creates a new request with values from PHP's super globals, or by analyzing the request content if the
+     * request method is PUT, DELETE or PATCH.
      *
-     * @return Request A new request
+     * @param   Boolean $test         Whether the test mode is active
+     * @return  Request A new request
      *
      * @api
      */
     public static function createFromGlobals()
     {
         $request = new static($_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER);
 
-        if (0 === strpos($request->headers->get('CONTENT_TYPE'), 'application/x-www-form-urlencoded')
-            && in_array(strtoupper($request->server->get('REQUEST_METHOD', 'GET')), array('PUT', 'DELETE', 'PATCH'))
-        ) {
-            parse_str($request->getContent(), $data);
-            $request->request = new ParameterBag($data);
+        if (in_array(strtoupper($request->server->get('REQUEST_METHOD', 'GET')), array('PUT', 'DELETE', 'PATCH'))) {
+            $contentType = $request->headers->get('CONTENT_TYPE');
+
+            if (0 === strpos($contentType, 'application/x-www-form-urlencoded')) {
+                parse_str($request->getContent(), $data);
+                $request->request = new ParameterBag($data);
+            } elseif (0 === strpos($contentType, 'multipart/form-data')) {
+                $request->decodeMultiPartFormData();
+            }
         }
 
         return $request;
     }
 
+    /**
+     * Decodes a multipart/form-data request, and injects the data into the request object. This method is used
+     * whenever a multipart/form-data request is submitted with a PUT, DELETE or PATCH method.
+     *
+     * This implementation is based on an example by netcoder at http://stackoverflow.com/a/9469615.
+     *
+     * @param Request   $request    The Request object whos content should be decoded and places into it's files
+     *                              and request properties.
+     */
+    protected function decodeMultiPartFormData()
+    {
+        /**
+         * The files array is structured such that it mimics PHP's $_FILES superglobal, allowing it to be passed on
+         * to the Request constructor.
+         * @var array
+         */
+        $files = array();
+
+        /**
+         * Key/value pairs of decoded form-data
+         * @var array
+         */
+        $data = array();
+
+        // Fetch content and determine boundary
+        $rawData = $this->getContent();
+        if ($rawData) {
+            $boundary = substr($rawData, 0, strpos($rawData, "\r\n"));
+
+            // Fetch and process each part
+            $parts = array_slice(explode($boundary, $rawData), 1);
+            foreach ($parts as $part) {
+                // If this is the last part, break
+                if ($part == "--\r\n") {
+                    break;
+                }
+
+                // Separate content from headers
+                $part = ltrim($part, "\r\n");
+                list($rawHeaders, $content) = explode("\r\n\r\n", $part, 2);
+                $content = substr($content, 0, strlen($content) - 2);
+
+                // Parse the headers list
+                $rawHeaders = explode("\r\n", $rawHeaders);
+                $headers = array();
+                foreach ($rawHeaders as $header) {
+                    list($name, $value) = explode(':', $header, 2);
+                    $headers[strtolower($name)] = ltrim($value, ' ');
+                }
+
+                // Parse the Content-Disposition to get the field name, etc.
+                if (isset($headers['content-disposition'])) {
+                    $filename = null;
+                    preg_match(
+                        '/^form-data; *name="([^"]+)"(?:; *filename="([^"]+)")?/',
+                        $headers['content-disposition'],
+                        $matches
+                    );
+
+                    $fieldName = $matches[1];
+                    $fileName = (isset($matches[2]) ? $matches[2] : null);
+
+                    // If we have no filename, save the data. Otherwise, save the file.
+                    if ($fileName === null) {
+                        $data[$fieldName] = $content;
+                    } else {
+                        $localFileName = tempnam(sys_get_temp_dir(), 'sfy');
+                        file_put_contents($localFileName, $content);
+
+                        $files[$fieldName] = array(
+                            'name' => $fileName,
+                            'type' => $headers['content-type'],
+                            'tmp_name' => $localFileName,
+                            'error' => 0,
+                            'size' => filesize($localFileName)
+                        );
+
+                        // Record the file path so that it can be verified as an uploaded file later
+                        UploadedFile::$files[] = $localFileName;
+
+                        // If the uploaded file is not moved, we need to delete it. To do that, we
+                        // register a shutdown function to cleanup the temporary file
+                        register_shutdown_function(function () use ($localFileName) {
+                           @unlink($localFileName);
+                        });
+                    }
+                }
+            }
+        }
+
+        $this->request = new ParameterBag($data);
+        $this->files = new FileBag($files);
+    }
+
     /**
      * Creates a Request based on a given URI and configuration.
      *

src/Symfony/Component/HttpFoundation/Tests/Fixtures/multipart-formdata

@@ -970,6 +970,18 @@ public function testCreateFromGlobals($method)
 
         unset($_POST['_method'], $_POST['foo6'], $_SERVER['REQUEST_METHOD']);
         $this->disableHttpMethodParameterOverride();
+
+        $_SERVER['REQUEST_METHOD'] = $method;
+        $_SERVER['CONTENT_TYPE'] = 'multipart/form-data';
+        $request = MultiPartFormDataRequestContentProxy::createFromGlobals();
+        $this->assertEquals('value', $request->request->get('field'), '::fromGlobals() decodes data from multipart-formdata');
+        $this->assertTrue($request->files->has('file'), '::fromGlobals() decodes files from multipart-formdata');
+        $file = $request->files->get('file');
+        $this->assertEquals('chekote_tiny.png', $file->getClientOriginalName(), '::fromGlobals() decodes file name from multipart-formdata');
+        $this->assertEquals('image/png', $file->getClientMimeType(), '::fromGlobals() decodes file type from multipart-formdata');
+        $this->assertEquals(7411, $file->getClientSize(), '::fromGlobals() decodes file size from multipart-formdata');
+
+        unset($_SERVER['REQUEST_METHOD'], $_SERVER['CONTENT_TYPE']);
     }
 
     public function testOverrideGlobals()
@@ -1595,3 +1607,11 @@ public function getContent($asResource = false)
         return http_build_query(array('_method' => 'PUT', 'content' => 'mycontent'));
     }
 }
+
+class MultiPartFormDataRequestContentProxy extends Request
+{
+    public function getContent($asResource = false)
+    {
+        return file_get_contents(__DIR__.'/Fixtures/multipart-formdata');
+    }
+}