Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[5.4] Use getClientOriginalExtension() when available #20400

Merged
merged 2 commits into from
Aug 2, 2017
Merged

[5.4] Use getClientOriginalExtension() when available #20400

merged 2 commits into from
Aug 2, 2017

Conversation

laurencei
Copy link
Contributor

@laurencei laurencei commented Aug 2, 2017

It seems getClientOriginalExtension() is more reliable for an uploaded file during my testing. So we should use that when available. It uses the actual file extension and does not try to guess it.

@taylorotwell
Copy link
Member

Don't they just have to manually change the extension now? That value is entirely spoofable?

@laurencei
Copy link
Contributor Author

But that it what the file will be saved as.

So they can upload a php file as .jpg - but they cant do anything with it - since .jpg is not executable.

It is combined with the MIME test as well.

@taylorotwell taylorotwell merged commit 5c1832f into laravel:5.4 Aug 2, 2017
@taylorotwell
Copy link
Member

Kinda boggles my mind people are saving user uploaded files with the "php" extension in their apps but OK.

@laurencei
Copy link
Contributor Author

laurencei commented Aug 2, 2017

@taylorotwell - they are not be meaning to. If they do some save file after an image validation - then they are expecting getOrginalFileExtension() to give them on of the image extensions (i.e. .jpg) - not .php.

@laurencei laurencei deleted the tweakupload branch August 2, 2017 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants