22293514258

Committed 23 Feb 2026 04:58AM UTC coverage: 83.62%. Remained the same

Build Type

push

github

Committed by

Commit Message

added CLAUDE.md

Coverage Stats

924 of 1105 relevant lines covered (83.62%)

0.84 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

77.78

/src/Http/FileUpload.php

<?php declare(strict_types=1);

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

namespace Nette\Http;

use Nette;
use Nette\Utils\Image;
use function array_intersect_key, array_map, basename, chmod, dirname, file_get_contents, filesize, finfo_file, finfo_open, getimagesize, image_type_to_extension, in_array, is_string, is_uploaded_file, preg_replace, str_replace, trim, unlink;
use const FILEINFO_EXTENSION, FILEINFO_MIME_TYPE, UPLOAD_ERR_NO_FILE, UPLOAD_ERR_OK;


/**
 * Provides access to individual files that have been uploaded by a client.
 *
 * @property-read string $name
 * @property-read string $sanitizedName
 * @property-read string $untrustedFullPath
 * @property-read ?string $contentType
 * @property-read int $size
 * @property-read string $temporaryFile
 * @property-read int $error
 * @property-read bool $ok
 * @property-read ?string $contents
 */
final class FileUpload
{
        use Nette\SmartObject;

        /** @deprecated */
        public const IMAGE_MIME_TYPES = ['image/gif', 'image/png', 'image/jpeg', 'image/webp'];

        private readonly string $name;
        private readonly ?string $fullPath;
        private string|false|null $type = null;
        private string|false|null $extension = null;
        private readonly int $size;
        private string $tmpName;
        private readonly int $error;


        /** @param array{name?: string, full_path?: string, size?: int, tmp_name?: string, error?: int, type?: string}|string|null  $value */
        public function __construct(array|string|null $value)
        {
                if (is_string($value)) {
                        $value = [
                                'name' => basename($value),
                                'full_path' => $value,
                                'size' => filesize($value) ?: 0,
                                'tmp_name' => $value,
                                'error' => UPLOAD_ERR_OK,
                        ];
                }

                $this->name = $value['name'] ?? '';
                $this->fullPath = $value['full_path'] ?? null;
                $this->size = $value['size'] ?? 0;
                $this->tmpName = $value['tmp_name'] ?? '';
                $this->error = $value['error'] ?? UPLOAD_ERR_NO_FILE;
        }


        /**
         * @deprecated use getUntrustedName()
         */
        public function getName(): string
        {
                return $this->name;
        }


        /**
         * Returns the original file name as submitted by the browser. Do not trust the value returned by this method.
         * A client could send a malicious filename with the intention to corrupt or hack your application.
         */
        public function getUntrustedName(): string
        {
                return $this->name;
        }


        /**
         * Returns the sanitized file name. The resulting name contains only ASCII characters [a-zA-Z0-9.-].
         * If the name does not contain such characters, it returns 'unknown'. If the file is an image supported by PHP,
         * it returns the correct file extension. Do not blindly trust the value returned by this method.
         */
        public function getSanitizedName(): string
        {
                $name = Nette\Utils\Strings::webalize($this->name, '.', lower: false);
                $name = str_replace(['-.', '.-'], '.', $name);
                $name = trim($name, '.-');
                $name = $name === '' ? 'unknown' : $name;
                if ($this->isImage()) {
                        $name = preg_replace('#\.[^.]+$#D', '', $name);
                        $name .= '.' . $this->getSuggestedExtension();
                }

                return $name;
        }


        /**
         * Returns the original full path as submitted by the browser during directory upload. Do not trust the value
         * returned by this method. A client could send a malicious directory structure with the intention to corrupt
         * or hack your application.
         */
        public function getUntrustedFullPath(): string
        {
                return $this->fullPath ?? $this->name;
        }


        /**
         * Detects the MIME content type of the uploaded file based on its signature. Requires PHP extension fileinfo.
         * If the upload was not successful or the detection failed, it returns null.
         */
        public function getContentType(): ?string
        {
                if ($this->isOk()) {
                        $this->type ??= finfo_file(finfo_open(FILEINFO_MIME_TYPE), $this->tmpName);
                }

                return $this->type ?: null;
        }


        /**
         * Returns the appropriate file extension (without the period) corresponding to the detected MIME type. Requires the PHP extension fileinfo.
         */
        public function getSuggestedExtension(): ?string
        {
                if ($this->isOk() && $this->extension === null) {
                        $exts = finfo_file(finfo_open(FILEINFO_EXTENSION), $this->tmpName);
                        if ($exts && $exts !== '???') {
                                return $this->extension = preg_replace('~[/,].*~', '', $exts);
                        }
                        [, , $type] = Nette\Utils\Helpers::falseToNull(@getimagesize($this->tmpName)); // @ - files smaller than 12 bytes causes read error
                        if ($type) {
                                return $this->extension = image_type_to_extension($type, include_dot: false) ?: null;
                        }
                        $this->extension = false;
                }

                return $this->extension ?: null;
        }


        /**
         * Returns the size of the uploaded file in bytes.
         */
        public function getSize(): int
        {
                return $this->size;
        }


        /**
         * Returns the path of the temporary location of the uploaded file.
         */
        public function getTemporaryFile(): string
        {
                return $this->tmpName;
        }


        /**
         * Returns the path of the temporary location of the uploaded file.
         */
        public function __toString(): string
        {
                return $this->tmpName;
        }


        /**
         * Returns the error code. It has to be one of UPLOAD_ERR_XXX constants.
         * @see http://php.net/manual/en/features.file-upload.errors.php
         */
        public function getError(): int
        {
                return $this->error;
        }


        /**
         * Returns true if the file was uploaded successfully.
         */
        public function isOk(): bool
        {
                return $this->error === UPLOAD_ERR_OK;
        }


        /**
         * Returns true if the user has uploaded a file.
         */
        public function hasFile(): bool
        {
                return $this->error !== UPLOAD_ERR_NO_FILE;
        }


        /**
         * Moves an uploaded file to a new location. If the destination file already exists, it will be overwritten.
         */
        public function move(string $dest): static
        {
                $dir = dirname($dest);
                Nette\Utils\FileSystem::createDir($dir);
                @unlink($dest); // @ - file may not exists
                Nette\Utils\Callback::invokeSafe(
                        is_uploaded_file($this->tmpName) ? 'move_uploaded_file' : 'rename',
                        [$this->tmpName, $dest],
                        function (string $message) use ($dest): void {
                                throw new Nette\InvalidStateException("Unable to move uploaded file '$this->tmpName' to '$dest'. $message");
                        },
                );
                @chmod($dest, 0o666); // @ - possible low permission to chmod
                $this->tmpName = $dest;
                return $this;
        }


        /**
         * Returns true if the uploaded file is an image and the format is supported by PHP, so it can be loaded using the toImage() method.
         * Detection is based on its signature, the integrity of the file is not checked. Requires PHP extensions fileinfo & gd.
         */
        public function isImage(): bool
        {
                $types = array_map(Image::typeToMimeType(...), Image::getSupportedTypes());
                return in_array($this->getContentType(), $types, strict: true);
        }


        /**
         * Converts uploaded image to Nette\Utils\Image object.
         * @throws Nette\Utils\ImageException  If the upload was not successful or is not a valid image
         */
        public function toImage(): Image
        {
                return Image::fromFile($this->tmpName);
        }


        /**
         * Returns a pair of [width, height] with dimensions of the uploaded image.
         * @return ?array{int, int}
         */
        public function getImageSize(): ?array
        {
                return $this->isImage()
                        ? array_intersect_key(getimagesize($this->tmpName), [0, 1])
                        : null;
        }


        /**
         * Returns image file extension based on detected content type (without dot).
         * @deprecated use getSuggestedExtension()
         */
        public function getImageFileExtension(): ?string
        {
                return $this->getSuggestedExtension();
        }


        /**
         * Returns the contents of the uploaded file. If the upload was not successful, it returns null.
         */
        public function getContents(): ?string
        {
                return $this->isOk()
                        ? (string) file_get_contents($this->tmpName)
                        : null;
        }
}

1	<?php declare(strict_types=1);
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	namespace Nette\Http;
9
10	use Nette;
11	use Nette\Utils\Image;
12	use function array_intersect_key, array_map, basename, chmod, dirname, file_get_contents, filesize, finfo_file, finfo_open, getimagesize, image_type_to_extension, in_array, is_string, is_uploaded_file, preg_replace, str_replace, trim, unlink;
13	use const FILEINFO_EXTENSION, FILEINFO_MIME_TYPE, UPLOAD_ERR_NO_FILE, UPLOAD_ERR_OK;
14
15
16	/**
17	* Provides access to individual files that have been uploaded by a client.
18	*
19	* @property-read string $name
20	* @property-read string $sanitizedName
21	* @property-read string $untrustedFullPath
22	* @property-read ?string $contentType
23	* @property-read int $size
24	* @property-read string $temporaryFile
25	* @property-read int $error
26	* @property-read bool $ok
27	* @property-read ?string $contents
28	*/
29	final class FileUpload
30	{
31	use Nette\SmartObject;
32
33	/** @deprecated */
34	public const IMAGE_MIME_TYPES = ['image/gif', 'image/png', 'image/jpeg', 'image/webp'];
35
36	private readonly string $name;
37	private readonly ?string $fullPath;
38	private string\|false\|null $type = null;
39	private string\|false\|null $extension = null;
40	private readonly int $size;
41	private string $tmpName;
42	private readonly int $error;
43
44
45	/** @param array{name?: string, full_path?: string, size?: int, tmp_name?: string, error?: int, type?: string}\|string\|null $value */
46	public function __construct(array\|string\|null $value)	1✔
47	{
48	if (is_string($value)) {	1✔
49	$value = [	1✔
50	'name' => basename($value),	1✔
51	'full_path' => $value,	1✔
52	'size' => filesize($value) ?: 0,	1✔
53	'tmp_name' => $value,	1✔
54	'error' => UPLOAD_ERR_OK,
55	];
56	}
57
58	$this->name = $value['name'] ?? '';	1✔
59	$this->fullPath = $value['full_path'] ?? null;	1✔
60	$this->size = $value['size'] ?? 0;	1✔
61	$this->tmpName = $value['tmp_name'] ?? '';	1✔
62	$this->error = $value['error'] ?? UPLOAD_ERR_NO_FILE;	1✔
63	}	1✔
64
65
66	/**
67	* @deprecated use getUntrustedName()
68	*/
69	public function getName(): string
70	{
71	return $this->name;	1✔
72	}
73
74
75	/**
76	* Returns the original file name as submitted by the browser. Do not trust the value returned by this method.
77	* A client could send a malicious filename with the intention to corrupt or hack your application.
78	*/
79	public function getUntrustedName(): string
80	{
81	return $this->name;	1✔
82	}
83
84
85	/**
86	* Returns the sanitized file name. The resulting name contains only ASCII characters [a-zA-Z0-9.-].
87	* If the name does not contain such characters, it returns 'unknown'. If the file is an image supported by PHP,
88	* it returns the correct file extension. Do not blindly trust the value returned by this method.
89	*/
90	public function getSanitizedName(): string
91	{
92	$name = Nette\Utils\Strings::webalize($this->name, '.', lower: false);	1✔
93	$name = str_replace(['-.', '.-'], '.', $name);	1✔
94	$name = trim($name, '.-');	1✔
95	$name = $name === '' ? 'unknown' : $name;	1✔
96	if ($this->isImage()) {	1✔
97	$name = preg_replace('#\.[^.]+$#D', '', $name);	1✔
98	$name .= '.' . $this->getSuggestedExtension();	1✔
99	}
100
101	return $name;	1✔
102	}
103
104
105	/**
106	* Returns the original full path as submitted by the browser during directory upload. Do not trust the value
107	* returned by this method. A client could send a malicious directory structure with the intention to corrupt
108	* or hack your application.
109	*/
110	public function getUntrustedFullPath(): string
111	{
112	return $this->fullPath ?? $this->name;	1✔
113	}
114
115
116	/**
117	* Detects the MIME content type of the uploaded file based on its signature. Requires PHP extension fileinfo.
118	* If the upload was not successful or the detection failed, it returns null.
119	*/
120	public function getContentType(): ?string
121	{
122	if ($this->isOk()) {	1✔
123	$this->type ??= finfo_file(finfo_open(FILEINFO_MIME_TYPE), $this->tmpName);	1✔
124	}
125
126	return $this->type ?: null;	1✔
127	}
128
129
130	/**
131	* Returns the appropriate file extension (without the period) corresponding to the detected MIME type. Requires the PHP extension fileinfo.
132	*/
133	public function getSuggestedExtension(): ?string
134	{
135	if ($this->isOk() && $this->extension === null) {	1✔
136	$exts = finfo_file(finfo_open(FILEINFO_EXTENSION), $this->tmpName);	1✔
137	if ($exts && $exts !== '???') {	1✔
138	return $this->extension = preg_replace('~[/,].*~', '', $exts);	1✔
139	}
140	[, , $type] = Nette\Utils\Helpers::falseToNull(@getimagesize($this->tmpName)); // @ - files smaller than 12 bytes causes read error	1✔
141	if ($type) {	1✔
142	return $this->extension = image_type_to_extension($type, include_dot: false) ?: null;	×
143	}
144	$this->extension = false;	1✔
145	}
146
147	return $this->extension ?: null;	1✔
148	}
149
150
151	/**
152	* Returns the size of the uploaded file in bytes.
153	*/
154	public function getSize(): int
155	{
156	return $this->size;	1✔
157	}
158
159
160	/**
161	* Returns the path of the temporary location of the uploaded file.
162	*/
163	public function getTemporaryFile(): string
164	{
165	return $this->tmpName;	1✔
166	}
167
168
169	/**
170	* Returns the path of the temporary location of the uploaded file.
171	*/
172	public function __toString(): string
173	{
174	return $this->tmpName;	1✔
175	}
176
177
178	/**
179	* Returns the error code. It has to be one of UPLOAD_ERR_XXX constants.
180	* @see http://php.net/manual/en/features.file-upload.errors.php
181	*/
182	public function getError(): int
183	{
184	return $this->error;	1✔
185	}
186
187
188	/**
189	* Returns true if the file was uploaded successfully.
190	*/
191	public function isOk(): bool
192	{
193	return $this->error === UPLOAD_ERR_OK;	1✔
194	}
195
196
197	/**
198	* Returns true if the user has uploaded a file.
199	*/
200	public function hasFile(): bool
201	{
202	return $this->error !== UPLOAD_ERR_NO_FILE;	1✔
203	}
204
205
206	/**
207	* Moves an uploaded file to a new location. If the destination file already exists, it will be overwritten.
208	*/
209	public function move(string $dest): static
210	{
211	$dir = dirname($dest);	×
212	Nette\Utils\FileSystem::createDir($dir);	×
213	@unlink($dest); // @ - file may not exists	×
214	Nette\Utils\Callback::invokeSafe(	×
215	is_uploaded_file($this->tmpName) ? 'move_uploaded_file' : 'rename',	×
216	[$this->tmpName, $dest],	×
217	function (string $message) use ($dest): void {	×
218	throw new Nette\InvalidStateException("Unable to move uploaded file '$this->tmpName' to '$dest'. $message");
219	},	×
220	);
221	@chmod($dest, 0o666); // @ - possible low permission to chmod	×
222	$this->tmpName = $dest;	×
223	return $this;	×
224	}
225
226
227	/**
228	* Returns true if the uploaded file is an image and the format is supported by PHP, so it can be loaded using the toImage() method.
229	* Detection is based on its signature, the integrity of the file is not checked. Requires PHP extensions fileinfo & gd.
230	*/
231	public function isImage(): bool
232	{
233	$types = array_map(Image::typeToMimeType(...), Image::getSupportedTypes());	1✔
234	return in_array($this->getContentType(), $types, strict: true);	1✔
235	}
236
237
238	/**
239	* Converts uploaded image to Nette\Utils\Image object.
240	* @throws Nette\Utils\ImageException If the upload was not successful or is not a valid image
241	*/
242	public function toImage(): Image
243	{
244	return Image::fromFile($this->tmpName);	×
245	}
246
247
248	/**
249	* Returns a pair of [width, height] with dimensions of the uploaded image.
250	* @return ?array{int, int}
251	*/
252	public function getImageSize(): ?array
253	{
254	return $this->isImage()	1✔
255	? array_intersect_key(getimagesize($this->tmpName), [0, 1])	1✔
256	: null;	1✔
257	}
258
259
260	/**
261	* Returns image file extension based on detected content type (without dot).
262	* @deprecated use getSuggestedExtension()
263	*/
264	public function getImageFileExtension(): ?string
265	{
266	return $this->getSuggestedExtension();	×
267	}
268
269
270	/**
271	* Returns the contents of the uploaded file. If the upload was not successful, it returns null.
272	*/
273	public function getContents(): ?string
274	{
275	return $this->isOk()	1✔
276	? (string) file_get_contents($this->tmpName)	1✔
277	: null;	1✔
278	}
279	}

nette / http / 22293514258

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous