8877511590

Committed 29 Apr 2024 11:05AM UTC coverage: 81.537% (-0.2%) from 81.776%

Build Type

push

github

Committed by

Commit Message

IRequest, IResponse: added typehints, unification (BC break)

Run Details

2 of 2 new or added lines in 1 file covered. (100.0%)

53 existing lines in 5 files now uncovered.

870 of 1067 relevant lines covered (81.54%)

0.82 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

74.19

/src/Http/FileUpload.php

<?php

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

declare(strict_types=1);

namespace Nette\Http;

use Nette;
use Nette\Utils\Image;


/**
 * Provides access to individual files that have been uploaded by a client.
 *
 * @property-read string $name
 * @property-read string $sanitizedName
 * @property-read string $untrustedFullPath
 * @property-read string|null $contentType
 * @property-read int $size
 * @property-read string $temporaryFile
 * @property-read int $error
 * @property-read bool $ok
 * @property-read string|null $contents
 */
final class FileUpload
{
        use Nette\SmartObject;

        /** @deprecated */
        public const IMAGE_MIME_TYPES = ['image/gif', 'image/png', 'image/jpeg', 'image/webp'];

        private readonly string $name;
        private readonly string|null $fullPath;
        private string|false|null $type = null;
        private string|false|null $extension = null;
        private readonly int $size;
        private string $tmpName;
        private readonly int $error;


        public function __construct(?array $value)
        {
                foreach (['name', 'size', 'tmp_name', 'error'] as $key) {
                        if (!isset($value[$key]) || !is_scalar($value[$key])) {
                                $this->error = UPLOAD_ERR_NO_FILE;
                                return; // or throw exception?
                        }
                }

                $this->name = $value['name'];
                $this->fullPath = $value['full_path'] ?? null;
                $this->size = $value['size'];
                $this->tmpName = $value['tmp_name'];
                $this->error = $value['error'];
        }


        /**
         * @deprecated use getUntrustedName()
         */
        public function getName(): string
        {
                trigger_error(__METHOD__ . '() is deprecated, use getUntrustedName()', E_USER_DEPRECATED);
                return $this->name;
        }


        /**
         * Returns the original file name as submitted by the browser. Do not trust the value returned by this method.
         * A client could send a malicious filename with the intention to corrupt or hack your application.
         */
        public function getUntrustedName(): string
        {
                return $this->name;
        }


        /**
         * Returns the sanitized file name. The resulting name contains only ASCII characters [a-zA-Z0-9.-].
         * If the name does not contain such characters, it returns 'unknown'. If the file is JPEG, PNG, GIF, or WebP image,
         * it returns the correct file extension. Do not blindly trust the value returned by this method.
         */
        public function getSanitizedName(): string
        {
                $name = Nette\Utils\Strings::webalize($this->name, '.', lower: false);
                $name = str_replace(['-.', '.-'], '.', $name);
                $name = trim($name, '.-');
                $name = $name === '' ? 'unknown' : $name;
                if ($ext = $this->getSuggestedExtension()) {
                        $name = preg_replace('#\.[^.]+$#D', '', $name);
                        $name .= '.' . $ext;
                }

                return $name;
        }


        /**
         * Returns the original full path as submitted by the browser during directory upload. Do not trust the value
         * returned by this method. A client could send a malicious directory structure with the intention to corrupt
         * or hack your application.
         *
         * The full path is only available in PHP 8.1 and above. In previous versions, this method returns the file name.
         */
        public function getUntrustedFullPath(): string
        {
                return $this->fullPath ?? $this->name;
        }


        /**
         * Detects the MIME content type of the uploaded file based on its signature. Requires PHP extension fileinfo.
         * If the upload was not successful or the detection failed, it returns null.
         */
        public function getContentType(): ?string
        {
                if ($this->isOk()) {
                        $this->type ??= finfo_file(finfo_open(FILEINFO_MIME_TYPE), $this->tmpName);
                }

                return $this->type ?: null;
        }


        /**
         * Returns the appropriate file extension (without the period) corresponding to the detected MIME type. Requires the PHP extension fileinfo.
         */
        public function getSuggestedExtension(): ?string
        {
                if ($this->isOk() && $this->extension === null) {
                        $exts = finfo_file(finfo_open(FILEINFO_EXTENSION), $this->tmpName);
                        if ($exts && $exts !== '???') {
                                return $this->extension = preg_replace('~[/,].*~', '', $exts);
                        }
                        [, , $type] = @getimagesize($this->tmpName); // @ - files smaller than 12 bytes causes read error
                        if ($type) {
                                return $this->extension = image_type_to_extension($type, false);
                        }
                        $this->extension = false;
                }

                return $this->extension ?: null;
        }


        /**
         * Returns the size of the uploaded file in bytes.
         */
        public function getSize(): int
        {
                return $this->size;
        }


        /**
         * Returns the path of the temporary location of the uploaded file.
         */
        public function getTemporaryFile(): string
        {
                return $this->tmpName;
        }


        /**
         * Returns the path of the temporary location of the uploaded file.
         */
        public function __toString(): string
        {
                return $this->tmpName;
        }


        /**
         * Returns the error code. It is be one of UPLOAD_ERR_XXX constants.
         * @see http://php.net/manual/en/features.file-upload.errors.php
         */
        public function getError(): int
        {
                return $this->error;
        }


        /**
         * Returns true if the file was uploaded successfully.
         */
        public function isOk(): bool
        {
                return $this->error === UPLOAD_ERR_OK;
        }


        /**
         * Returns true if the user has uploaded a file.
         */
        public function hasFile(): bool
        {
                return $this->error !== UPLOAD_ERR_NO_FILE;
        }


        /**
         * Moves an uploaded file to a new location. If the destination file already exists, it will be overwritten.
         */
        public function move(string $dest): static
        {
                $dir = dirname($dest);
                Nette\Utils\FileSystem::createDir($dir);
                @unlink($dest); // @ - file may not exists
                Nette\Utils\Callback::invokeSafe(
                        is_uploaded_file($this->tmpName) ? 'move_uploaded_file' : 'rename',
                        [$this->tmpName, $dest],
                        function (string $message) use ($dest): void {
                                throw new Nette\InvalidStateException("Unable to move uploaded file '$this->tmpName' to '$dest'. $message");
                        },
                );
                @chmod($dest, 0o666); // @ - possible low permission to chmod
                $this->tmpName = $dest;
                return $this;
        }


        /**
         * Returns true if the uploaded file is an image and the format is supported by PHP, so it can be loaded using the toImage() method.
         * Detection is based on its signature, the integrity of the file is not checked. Requires PHP extensions fileinfo & gd.
         */
        public function isImage(): bool
        {
                $types = array_map(fn($type) => Image::typeToMimeType($type), Image::getSupportedTypes());
                return in_array($this->getContentType(), $types, strict: true);
        }


        /**
         * Converts uploaded image to Nette\Utils\Image object.
         * @throws Nette\Utils\ImageException  If the upload was not successful or is not a valid image
         */
        public function toImage(): Image
        {
                return Image::fromFile($this->tmpName);
        }


        /**
         * Returns a pair of [width, height] with dimensions of the uploaded image.
         */
        public function getImageSize(): ?array
        {
                return $this->isImage()
                        ? array_intersect_key(getimagesize($this->tmpName), [0, 1])
                        : null;
        }


        /**
         * Returns image file extension based on detected content type (without dot).
         * @deprecated use getSuggestedExtension()
         */
        public function getImageFileExtension(): ?string
        {
                return $this->getSuggestedExtension();
        }


        /**
         * Returns the contents of the uploaded file. If the upload was not successful, it returns null.
         */
        public function getContents(): ?string
        {
                // future implementation can try to work around safe_mode and open_basedir limitations
                return $this->isOk()
                        ? file_get_contents($this->tmpName)
                        : null;
        }
}

1	<?php
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	declare(strict_types=1);
9
10	namespace Nette\Http;
11
12	use Nette;
13	use Nette\Utils\Image;
14
15
16	/**
17	* Provides access to individual files that have been uploaded by a client.
18	*
19	* @property-read string $name
20	* @property-read string $sanitizedName
21	* @property-read string $untrustedFullPath
22	* @property-read string\|null $contentType
23	* @property-read int $size
24	* @property-read string $temporaryFile
25	* @property-read int $error
26	* @property-read bool $ok
27	* @property-read string\|null $contents
28	*/
29	final class FileUpload
30	{
31	use Nette\SmartObject;
32
33	/** @deprecated */
34	public const IMAGE_MIME_TYPES = ['image/gif', 'image/png', 'image/jpeg', 'image/webp'];
35
36	private readonly string $name;
37	private readonly string\|null $fullPath;
38	private string\|false\|null $type = null;
39	private string\|false\|null $extension = null;
40	private readonly int $size;
41	private string $tmpName;
42	private readonly int $error;
43
44
45	public function __construct(?array $value)	1✔
46	{
47	foreach (['name', 'size', 'tmp_name', 'error'] as $key) {	1✔
48	if (!isset($value[$key]) \|\| !is_scalar($value[$key])) {	1✔
UNCOV 49	$this->error = UPLOAD_ERR_NO_FILE;	×
UNCOV 50	return; // or throw exception?	×
51	}
52	}
53
54	$this->name = $value['name'];	1✔
55	$this->fullPath = $value['full_path'] ?? null;	1✔
56	$this->size = $value['size'];	1✔
57	$this->tmpName = $value['tmp_name'];	1✔
58	$this->error = $value['error'];	1✔
59	}	1✔
60
61
62	/**
63	* @deprecated use getUntrustedName()
64	*/
65	public function getName(): string
66	{
67	trigger_error(__METHOD__ . '() is deprecated, use getUntrustedName()', E_USER_DEPRECATED);	1✔
68	return $this->name;	1✔
69	}
70
71
72	/**
73	* Returns the original file name as submitted by the browser. Do not trust the value returned by this method.
74	* A client could send a malicious filename with the intention to corrupt or hack your application.
75	*/
76	public function getUntrustedName(): string
77	{
78	return $this->name;	1✔
79	}
80
81
82	/**
83	* Returns the sanitized file name. The resulting name contains only ASCII characters [a-zA-Z0-9.-].
84	* If the name does not contain such characters, it returns 'unknown'. If the file is JPEG, PNG, GIF, or WebP image,
85	* it returns the correct file extension. Do not blindly trust the value returned by this method.
86	*/
87	public function getSanitizedName(): string
88	{
89	$name = Nette\Utils\Strings::webalize($this->name, '.', lower: false);	1✔
90	$name = str_replace(['-.', '.-'], '.', $name);	1✔
91	$name = trim($name, '.-');	1✔
92	$name = $name === '' ? 'unknown' : $name;	1✔
93	if ($ext = $this->getSuggestedExtension()) {	1✔
94	$name = preg_replace('#\.[^.]+$#D', '', $name);	1✔
95	$name .= '.' . $ext;	1✔
96	}
97
98	return $name;	1✔
99	}
100
101
102	/**
103	* Returns the original full path as submitted by the browser during directory upload. Do not trust the value
104	* returned by this method. A client could send a malicious directory structure with the intention to corrupt
105	* or hack your application.
106	*
107	* The full path is only available in PHP 8.1 and above. In previous versions, this method returns the file name.
108	*/
109	public function getUntrustedFullPath(): string
110	{
111	return $this->fullPath ?? $this->name;	1✔
112	}
113
114
115	/**
116	* Detects the MIME content type of the uploaded file based on its signature. Requires PHP extension fileinfo.
117	* If the upload was not successful or the detection failed, it returns null.
118	*/
119	public function getContentType(): ?string
120	{
121	if ($this->isOk()) {	1✔
122	$this->type ??= finfo_file(finfo_open(FILEINFO_MIME_TYPE), $this->tmpName);	1✔
123	}
124
125	return $this->type ?: null;	1✔
126	}
127
128
129	/**
130	* Returns the appropriate file extension (without the period) corresponding to the detected MIME type. Requires the PHP extension fileinfo.
131	*/
132	public function getSuggestedExtension(): ?string
133	{
134	if ($this->isOk() && $this->extension === null) {	1✔
135	$exts = finfo_file(finfo_open(FILEINFO_EXTENSION), $this->tmpName);	1✔
136	if ($exts && $exts !== '???') {	1✔
137	return $this->extension = preg_replace('~[/,].*~', '', $exts);	1✔
138	}
139	[, , $type] = @getimagesize($this->tmpName); // @ - files smaller than 12 bytes causes read error	1✔
140	if ($type) {	1✔
141	return $this->extension = image_type_to_extension($type, false);	×
142	}
143	$this->extension = false;	1✔
144	}
145
146	return $this->extension ?: null;	1✔
147	}
148
149
150	/**
151	* Returns the size of the uploaded file in bytes.
152	*/
153	public function getSize(): int
154	{
155	return $this->size;	1✔
156	}
157
158
159	/**
160	* Returns the path of the temporary location of the uploaded file.
161	*/
162	public function getTemporaryFile(): string
163	{
164	return $this->tmpName;	1✔
165	}
166
167
168	/**
169	* Returns the path of the temporary location of the uploaded file.
170	*/
171	public function __toString(): string
172	{
173	return $this->tmpName;	1✔
174	}
175
176
177	/**
178	* Returns the error code. It is be one of UPLOAD_ERR_XXX constants.
179	* @see http://php.net/manual/en/features.file-upload.errors.php
180	*/
181	public function getError(): int
182	{
183	return $this->error;	1✔
184	}
185
186
187	/**
188	* Returns true if the file was uploaded successfully.
189	*/
190	public function isOk(): bool
191	{
192	return $this->error === UPLOAD_ERR_OK;	1✔
193	}
194
195
196	/**
197	* Returns true if the user has uploaded a file.
198	*/
199	public function hasFile(): bool
200	{
201	return $this->error !== UPLOAD_ERR_NO_FILE;	1✔
202	}
203
204
205	/**
206	* Moves an uploaded file to a new location. If the destination file already exists, it will be overwritten.
207	*/
208	public function move(string $dest): static
209	{
210	$dir = dirname($dest);	×
211	Nette\Utils\FileSystem::createDir($dir);	×
212	@unlink($dest); // @ - file may not exists	×
213	Nette\Utils\Callback::invokeSafe(	×
214	is_uploaded_file($this->tmpName) ? 'move_uploaded_file' : 'rename',	×
215	[$this->tmpName, $dest],	×
216	function (string $message) use ($dest): void {	×
217	throw new Nette\InvalidStateException("Unable to move uploaded file '$this->tmpName' to '$dest'. $message");
218	},	×
219	);
220	@chmod($dest, 0o666); // @ - possible low permission to chmod	×
221	$this->tmpName = $dest;	×
222	return $this;	×
223	}
224
225
226	/**
227	* Returns true if the uploaded file is an image and the format is supported by PHP, so it can be loaded using the toImage() method.
228	* Detection is based on its signature, the integrity of the file is not checked. Requires PHP extensions fileinfo & gd.
229	*/
230	public function isImage(): bool
231	{
232	$types = array_map(fn($type) => Image::typeToMimeType($type), Image::getSupportedTypes());	1✔
233	return in_array($this->getContentType(), $types, strict: true);	1✔
234	}
235
236
237	/**
238	* Converts uploaded image to Nette\Utils\Image object.
239	* @throws Nette\Utils\ImageException If the upload was not successful or is not a valid image
240	*/
241	public function toImage(): Image
242	{
243	return Image::fromFile($this->tmpName);	×
244	}
245
246
247	/**
248	* Returns a pair of [width, height] with dimensions of the uploaded image.
249	*/
250	public function getImageSize(): ?array
251	{
252	return $this->isImage()	1✔
253	? array_intersect_key(getimagesize($this->tmpName), [0, 1])	1✔
254	: null;	1✔
255	}
256
257
258	/**
259	* Returns image file extension based on detected content type (without dot).
260	* @deprecated use getSuggestedExtension()
261	*/
262	public function getImageFileExtension(): ?string
263	{
264	return $this->getSuggestedExtension();	×
265	}
266
267
268	/**
269	* Returns the contents of the uploaded file. If the upload was not successful, it returns null.
270	*/
271	public function getContents(): ?string
272	{
273	// future implementation can try to work around safe_mode and open_basedir limitations
274	return $this->isOk()	1✔
275	? file_get_contents($this->tmpName)	1✔
276	: null;	1✔
277	}
278	}

nette / http / 8877511590

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous