From 69475d0c22c88c7b1991f8db64ddc8f2177ce3af Mon Sep 17 00:00:00 2001 From: Ana Cicconi Date: Sat, 23 May 2015 11:44:46 +0200 Subject: [PATCH 1/2] Adding a caution to the getUploadRootDir() method | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | #4177 [Doctrine] Security issue in handling file uploads with Doctrine --- cookbook/doctrine/file_uploads.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cookbook/doctrine/file_uploads.rst b/cookbook/doctrine/file_uploads.rst index f9a2d7bb4d9..3929f262621 100644 --- a/cookbook/doctrine/file_uploads.rst +++ b/cookbook/doctrine/file_uploads.rst @@ -99,6 +99,13 @@ file. If you're using annotations to specify your validation rules (as shown in this example), be sure that you've enabled validation by annotation (see :ref:`validation configuration `). + +.. caution:: + + If you use the getUploadRootDir() method, be aware that this will save + the file inside the document root, which can be accessed by everyone. + Consider placing it out of the document root and adding custom viewing + logic when you need to secure the files. To handle the actual file upload in the form, use a "virtual" ``file`` field. For example, if you're building your form directly in a controller, it might From a80d669ece91f9d4c77923fab3ddb9940c7eedc8 Mon Sep 17 00:00:00 2001 From: Ana Cicconi Date: Sat, 23 May 2015 11:52:13 +0200 Subject: [PATCH 2/2] Add a caution to the getUploadRootDir - correction --- cookbook/doctrine/file_uploads.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbook/doctrine/file_uploads.rst b/cookbook/doctrine/file_uploads.rst index 3929f262621..ce9659cc46a 100644 --- a/cookbook/doctrine/file_uploads.rst +++ b/cookbook/doctrine/file_uploads.rst @@ -102,7 +102,7 @@ file. .. caution:: - If you use the getUploadRootDir() method, be aware that this will save + If you use the ``getUploadRootDir()`` method, be aware that this will save the file inside the document root, which can be accessed by everyone. Consider placing it out of the document root and adding custom viewing logic when you need to secure the files.