• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

nette / http / 26462513624

26 May 2026 04:53PM UTC coverage: 83.183% (-0.2%) from 83.409%
26462513624

push

github

dg
added CLAUDE.md

920 of 1106 relevant lines covered (83.18%)

0.83 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

76.81
/src/Http/FileUpload.php
1
<?php declare(strict_types=1);
1✔
2

3
/**
4
 * This file is part of the Nette Framework (https://nette.org)
5
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6
 */
7

8
namespace Nette\Http;
9

10
use Nette;
11
use Nette\Utils\Image;
12
use function array_intersect_key, array_map, basename, chmod, dirname, file_get_contents, filesize, finfo_file, finfo_open, getimagesize, image_type_to_extension, in_array, is_string, is_uploaded_file, preg_replace, str_replace, trim, unlink;
13

14

15
/**
16
 * Provides access to individual files that have been uploaded by a client.
17
 *
18
 * @property-read string $name
19
 * @property-read string $sanitizedName
20
 * @property-read string $untrustedFullPath
21
 * @property-read ?string $contentType
22
 * @property-read int $size
23
 * @property-read string $temporaryFile
24
 * @property-read int $error
25
 * @property-read bool $ok
26
 * @property-read ?string $contents
27
 */
28
final class FileUpload
29
{
30
        use Nette\SmartObject;
31

32
        /** @deprecated */
33
        public const IMAGE_MIME_TYPES = ['image/gif', 'image/png', 'image/jpeg', 'image/webp'];
34

35
        private readonly string $name;
36
        private readonly ?string $fullPath;
37
        private string|false|null $type = null;
38
        private string|false|null $extension = null;
39
        private readonly int $size;
40
        private string $tmpName;
41
        private readonly int $error;
42

43

44
        /** @param array{name?: string, full_path?: string, size?: int, tmp_name?: string, error?: int, type?: string}|string|null  $value */
45
        public function __construct(array|string|null $value)
1✔
46
        {
47
                if (is_string($value)) {
1✔
48
                        $value = [
1✔
49
                                'name' => basename($value),
1✔
50
                                'full_path' => $value,
1✔
51
                                'size' => filesize($value) ?: 0,
1✔
52
                                'tmp_name' => $value,
1✔
53
                                'error' => UPLOAD_ERR_OK,
1✔
54
                        ];
55
                }
56

57
                $this->name = $value['name'] ?? '';
1✔
58
                $this->fullPath = $value['full_path'] ?? null;
1✔
59
                $this->size = $value['size'] ?? 0;
1✔
60
                $this->tmpName = $value['tmp_name'] ?? '';
1✔
61
                $this->error = $value['error'] ?? UPLOAD_ERR_NO_FILE;
1✔
62
        }
1✔
63

64

65
        /**
66
         * @deprecated use getUntrustedName()
67
         */
68
        public function getName(): string
69
        {
70
                return $this->name;
1✔
71
        }
72

73

74
        /**
75
         * Returns the original file name as submitted by the browser. Do not trust the value returned by this method.
76
         * A client could send a malicious filename with the intention to corrupt or hack your application.
77
         */
78
        public function getUntrustedName(): string
79
        {
80
                return $this->name;
1✔
81
        }
82

83

84
        /**
85
         * Returns the sanitized file name. The resulting name contains only ASCII characters [a-zA-Z0-9.-].
86
         * If the name does not contain such characters, it returns 'unknown'. If the file is an image supported by PHP,
87
         * it returns the correct file extension. Do not blindly trust the value returned by this method.
88
         */
89
        public function getSanitizedName(): string
90
        {
91
                $name = Nette\Utils\Strings::webalize($this->name, '.', lower: false);
1✔
92
                $name = str_replace(['-.', '.-'], '.', $name);
1✔
93
                $name = trim($name, '.-');
1✔
94
                $name = $name === '' ? 'unknown' : $name;
1✔
95
                if ($this->isImage()) {
1✔
96
                        $name = preg_replace('#\.[^.]+$#D', '', $name);
1✔
97
                        $name .= '.' . $this->getSuggestedExtension();
1✔
98
                }
99

100
                return $name;
1✔
101
        }
102

103

104
        /**
105
         * Returns the original full path as submitted by the browser during directory upload. Do not trust the value
106
         * returned by this method. A client could send a malicious directory structure with the intention to corrupt
107
         * or hack your application.
108
         */
109
        public function getUntrustedFullPath(): string
110
        {
111
                return $this->fullPath ?? $this->name;
1✔
112
        }
113

114

115
        /**
116
         * Detects the MIME content type of the uploaded file based on its signature. Requires PHP extension fileinfo.
117
         * If the upload was not successful or the detection failed, it returns null.
118
         */
119
        public function getContentType(): ?string
120
        {
121
                if ($this->isOk()) {
1✔
122
                        $this->type ??= ($finfo = finfo_open(FILEINFO_MIME_TYPE)) ? finfo_file($finfo, $this->tmpName) : false;
1✔
123
                }
124

125
                return $this->type ?: null;
1✔
126
        }
127

128

129
        /**
130
         * Returns the appropriate file extension (without the period) corresponding to the detected MIME type. Requires the PHP extension fileinfo.
131
         */
132
        public function getSuggestedExtension(): ?string
133
        {
134
                if ($this->isOk() && $this->extension === null) {
1✔
135
                        $finfo = finfo_open(FILEINFO_EXTENSION);
1✔
136
                        $exts = $finfo ? finfo_file($finfo, $this->tmpName) : false;
1✔
137
                        if ($exts && $exts !== '???') {
1✔
138
                                return $this->extension = preg_replace('~[/,].*~', '', $exts);
1✔
139
                        }
140
                        $info = Nette\Utils\Helpers::falseToNull(@getimagesize($this->tmpName)); // @ - files smaller than 12 bytes causes read error
1✔
141
                        if ($info) {
1✔
142
                                return $this->extension = image_type_to_extension($info[2], include_dot: false) ?: null;
×
143
                        }
144
                        $this->extension = false;
1✔
145
                }
146

147
                return $this->extension ?: null;
1✔
148
        }
149

150

151
        /**
152
         * Returns the size of the uploaded file in bytes.
153
         */
154
        public function getSize(): int
155
        {
156
                return $this->size;
1✔
157
        }
158

159

160
        /**
161
         * Returns the path of the temporary location of the uploaded file.
162
         */
163
        public function getTemporaryFile(): string
164
        {
165
                return $this->tmpName;
1✔
166
        }
167

168

169
        /**
170
         * Returns the path of the temporary location of the uploaded file.
171
         */
172
        public function __toString(): string
173
        {
174
                return $this->tmpName;
1✔
175
        }
176

177

178
        /**
179
         * Returns the upload error code (one of the UPLOAD_ERR_XXX constants).
180
         * @see http://php.net/manual/en/features.file-upload.errors.php
181
         */
182
        public function getError(): int
183
        {
184
                return $this->error;
1✔
185
        }
186

187

188
        /**
189
         * Returns true if the file was uploaded successfully.
190
         */
191
        public function isOk(): bool
192
        {
193
                return $this->error === UPLOAD_ERR_OK;
1✔
194
        }
195

196

197
        /**
198
         * Returns true if the user has uploaded a file.
199
         */
200
        public function hasFile(): bool
201
        {
202
                return $this->error !== UPLOAD_ERR_NO_FILE;
1✔
203
        }
204

205

206
        /**
207
         * Moves an uploaded file to a new location. If the destination file already exists, it will be overwritten.
208
         */
209
        public function move(string $dest): static
210
        {
211
                $dir = dirname($dest);
×
212
                Nette\Utils\FileSystem::createDir($dir);
×
213
                @unlink($dest); // @ - file may not exists
×
214
                Nette\Utils\Callback::invokeSafe(
×
215
                        is_uploaded_file($this->tmpName) ? 'move_uploaded_file' : 'rename',
×
216
                        [$this->tmpName, $dest],
×
217
                        function (string $message) use ($dest): void {
×
218
                                throw new Nette\InvalidStateException("Unable to move uploaded file '$this->tmpName' to '$dest'. $message");
219
                        },
×
220
                );
221
                @chmod($dest, 0o666); // @ - possible low permission to chmod
×
222
                $this->tmpName = $dest;
×
223
                return $this;
×
224
        }
225

226

227
        /**
228
         * Checks whether the uploaded file is an image in a format supported by PHP (detectable via fileinfo, loadable via GD).
229
         * Detection is based on file signature; full integrity is not verified.
230
         */
231
        public function isImage(): bool
232
        {
233
                $types = array_map(Image::typeToMimeType(...), Image::getSupportedTypes());
1✔
234
                return in_array($this->getContentType(), $types, strict: true);
1✔
235
        }
236

237

238
        /**
239
         * Converts uploaded image to Nette\Utils\Image object.
240
         * @throws Nette\Utils\ImageException  If the upload was not successful or is not a valid image
241
         */
242
        public function toImage(): Image
243
        {
244
                return Image::fromFile($this->tmpName);
×
245
        }
246

247

248
        /**
249
         * Returns the [width, height] dimensions of the uploaded image, or null if it is not a valid image.
250
         * @return ?array{int, int}
251
         */
252
        public function getImageSize(): ?array
253
        {
254
                return $this->isImage() && ($info = getimagesize($this->tmpName))
1✔
255
                        ? array_intersect_key($info, [0, 1])
1✔
256
                        : null;
1✔
257
        }
258

259

260
        /**
261
         * Returns image file extension based on detected content type (without dot).
262
         * @deprecated use getSuggestedExtension()
263
         */
264
        public function getImageFileExtension(): ?string
265
        {
266
                return $this->getSuggestedExtension();
×
267
        }
268

269

270
        /**
271
         * Returns the contents of the uploaded file. If the upload was not successful, it returns null.
272
         */
273
        public function getContents(): ?string
274
        {
275
                if (!$this->isOk()) {
1✔
276
                        return null;
×
277
                }
278

279
                $res = file_get_contents($this->tmpName);
1✔
280
                return $res === false
1✔
281
                        ? throw new Nette\IOException("Unable to read file '$this->tmpName'.")
×
282
                        : $res;
1✔
283
        }
284
}
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc