[ZF-7617] Zend_Validate_File:

- added headerCheck option
- disallowed header check per default for security reasons

git-svn-id: http://framework.zend.com/svn/framework/standard/trunk@17685 44c647ce-9c0f-0410-b52a-842ac1e357ba

documentation/manual/en/module_specs/Zend_File_Transfer-Migration.xml

@@ -5,12 +5,59 @@
     <title>Migrating from previous versions</title>
 
     <para>
-        The <acronym>API</acronym> of <classname>Zend_File_Transfer</classname> has changed from
-        time to time. If you started to use <classname>Zend_File_Transfer</classname> and it's
-        subcomponents in earlier versions follow the guidelines below to migrate your scripts to
+        The <acronym>API</acronym> of <classname>Zend_File_Transfer</classname> has changed from time to time.
+        If you started to use <classname>Zend_File_Transfer</classname> and it's subcomponents
+        in earlier versions follow the guidelines below to migrate your scripts to
         use the new <acronym>API</acronym>.
     </para>
 
+    <sect2 id="zend.file.transfer.migration.fromonenineonetooneten">
+        <title>Migrating from 1.9 to 1.10 or newer</title>
+        <sect3 id="zend.file.transfer.migration.fromonenineonetooneten.mimetype">
+            <title>MimeType validation</title>
+
+            <para>
+                For security reasons we had to turn off the default fallback mechanism of the
+                <classname>MimeType</classname>, <classname>ExcludeMimeType</classname>,
+                <classname>IsCompressed</classname> and <classname>IsImage</classname> validators.
+                This means, that if the <emphasis>fileInfo</emphasis> or
+                <emphasis>magicMime</emphasis> extensions can not be found, the validation will
+                always fail.
+            </para>
+
+            <para>
+                If you are in need of validation by using the <acronym>HTTP</acronym> fields which
+                are provided by the user then you can turn on this feature by using the
+                <methodname>enableHeaderCheck()</methodname> method.
+            </para>
+
+            <note>
+                <title>Security hint</title>
+
+                <para>
+                    You should note that relying on the <acronym>HTTP</acronym> fields, which are
+                    provided by your user, is a security risk. They can easily be changed and could
+                    allow your user to provide a malcious file.
+                    If you are in need of validation by using the <acronym>HTTP</acronym> fields
+                    which are provided by the user then you can turn on this feature by using the
+                    <methodname>enableHeaderCheck()</methodname> method.
+                </para>
+            </note>
+
+            <example id="zend.file.transfer.migration.fromonenineonetooneten.example">
+                <title>Allow the usage of the HTTP fields</title>
+
+                <programlisting language="php"><![CDATA[
+// at initiation
+$valid = new Zend_File_Transfer_Adapter_Http(array('headerCheck' => true);
+
+// or afterwards
+$valid->enableHeaderCheck();
+]]></programlisting>
+        </example>
+        </sect3>
+    </sect2>
+
     <sect2 id="zend.file.transfer.migration.fromonesixtooneseven">
         <title>Migrating from 1.6 to 1.7 or newer</title>
         <sect3 id="zend.file.transfer.migration.fromonesixtooneseven.validators">
@@ -39,16 +86,15 @@
 
                 <itemizedlist>
                     <listitem><para>
-                        Old method <acronym>API</acronym>:
-                        <classname>Zend_Filter_File_Rename($oldfile, $newfile,
+                        Old method <acronym>API</acronym>: <classname>Zend_Filter_File_Rename($oldfile, $newfile,
                             $overwrite)</classname>
                     </para></listitem>
 
                     <listitem><para>
-                        New method <acronym>API</acronym>:
-                        <methodname>Zend_Filter_File_Rename($options)</methodname> where $options
-                        accepts the following array keys: <emphasis>source</emphasis> equals to
-                        $oldfile, <emphasis>target</emphasis> equals to $newfile,
+                        New method <acronym>API</acronym>: <methodname>Zend_Filter_File_Rename($options)</methodname>
+                        where $options accepts the following array keys:
+                        <emphasis>source</emphasis> equals to $oldfile,
+                        <emphasis>target</emphasis> equals to $newfile,
                         <emphasis>overwrite</emphasis> equals to $overwrite
                     </para></listitem>
                 </itemizedlist>
@@ -77,14 +123,13 @@ $upload->addFilter('Rename',
 
                 <itemizedlist>
                     <listitem><para>
-                        Old method <acronym>API</acronym>:
-                        <methodname>Zend_Validate_File_Count($min, $max)</methodname>
+                        Old method <acronym>API</acronym>: <methodname>Zend_Validate_File_Count($min, $max)</methodname>
                     </para></listitem>
 
                     <listitem><para>
-                        New method <acronym>API</acronym>:
-                        <methodname>Zend_Validate_File_Count($options)</methodname> where $options
-                        accepts the following array keys: <emphasis>min</emphasis> equals to $min,
+                        New method <acronym>API</acronym>: <methodname>Zend_Validate_File_Count($options)</methodname>
+                        where $options accepts the following array keys:
+                        <emphasis>min</emphasis> equals to $min,
                         <emphasis>max</emphasis> equals to $max,
                     </para></listitem>
                 </itemizedlist>
@@ -113,14 +158,14 @@ $upload->addValidator('Count',
 
                 <itemizedlist>
                     <listitem><para>
-                        Old method <acronym>API</acronym>:
-                        <classname>Zend_Validate_File_Extension($extension, $case)</classname>
+                        Old method <acronym>API</acronym>: <classname>Zend_Validate_File_Extension($extension,
+                            $case)</classname>
                     </para></listitem>
 
                     <listitem><para>
                         New method <acronym>API</acronym>:
-                        <methodname>Zend_Validate_File_Extension($options)</methodname> where
-                        $options accepts the following array keys:
+                        <methodname>Zend_Validate_File_Extension($options)</methodname> where $options
+                        accepts the following array keys:
                         <emphasis>*</emphasis> equals to $extension and can have any other key,
                         <emphasis>case</emphasis> equals to $case,
                     </para></listitem>
@@ -150,14 +195,14 @@ $upload->addValidator('Extension',
 
                 <itemizedlist>
                     <listitem><para>
-                        Old method <acronym>API</acronym>:
-                        <classname>Zend_Validate_File_FilesSize($min, $max, $bytestring)</classname>
+                        Old method <acronym>API</acronym>: <classname>Zend_Validate_File_FilesSize($min, $max,
+                            $bytestring)</classname>
                     </para></listitem>
 
                     <listitem><para>
                         New method <acronym>API</acronym>:
-                        <methodname>Zend_Validate_File_FilesSize($options)</methodname> where
-                        $options accepts the following array keys:
+                        <methodname>Zend_Validate_File_FilesSize($options)</methodname> where $options
+                        accepts the following array keys:
                         <emphasis>min</emphasis> equals to $min,
                         <emphasis>max</emphasis> equals to $max,
                         <emphasis>bytestring</emphasis> equals to $bytestring
@@ -208,8 +253,7 @@ $upload->setUseByteSting(true); // set flag
                     </para></listitem>
 
                     <listitem><para>
-                        New method <acronym>API</acronym>:
-                        <methodname>Zend_Validate_File_Hash($options)</methodname>
+                        New method <acronym>API</acronym>: <methodname>Zend_Validate_File_Hash($options)</methodname>
                         where $options accepts the following array keys:
                         <emphasis>*</emphasis> equals to $hash and can have any other key,
                         <emphasis>algorithm</emphasis> equals to $algorithm,
@@ -240,16 +284,15 @@ $upload->addValidator('Hash',
 
                 <itemizedlist>
                     <listitem><para>
-                        Old method <acronym>API</acronym>:
-                        <classname>Zend_Validate_File_ImageSize($minwidth, $minheight, $maxwidth,
-                            $maxheight)</classname>
+                        Old method <acronym>API</acronym>: <classname>Zend_Validate_File_ImageSize($minwidth,
+                            $minheight, $maxwidth, $maxheight)</classname>
                     </para></listitem>
 
                     <listitem><para>
                         New method <acronym>API</acronym>:
-                        <methodname>Zend_Validate_File_FilesSize($options)</methodname> where
-                        $options accepts the following array keys: <emphasis>minwidth</emphasis>
-                        equals to $minwidth, <emphasis>maxwidth</emphasis> equals to $maxwidth,
+                        <methodname>Zend_Validate_File_FilesSize($options)</methodname> where $options
+                        accepts the following array keys: <emphasis>minwidth</emphasis> equals to
+                        $minwidth, <emphasis>maxwidth</emphasis> equals to $maxwidth,
                         <emphasis>minheight</emphasis> equals to $minheight,
                         <emphasis>maxheight</emphasis> equals to $maxheight,
                     </para></listitem>
@@ -281,14 +324,14 @@ $upload->addValidator('ImageSize',
 
                 <itemizedlist>
                     <listitem><para>
-                        Old method <acronym>API</acronym>: <classname>Zend_Validate_File_Size($min,
-                            $max, $bytestring)</classname>
+                        Old method <acronym>API</acronym>: <classname>Zend_Validate_File_Size($min, $max,
+                            $bytestring)</classname>
                     </para></listitem>
 
                     <listitem><para>
-                        New method <acronym>API</acronym>:
-                        <methodname>Zend_Validate_File_Size($options)</methodname> where $options
-                        accepts the following array keys: <emphasis>min</emphasis> equals to $min,
+                        New method <acronym>API</acronym>: <methodname>Zend_Validate_File_Size($options)</methodname>
+                        where $options accepts the following array keys:
+                        <emphasis>min</emphasis> equals to $min,
                         <emphasis>max</emphasis> equals to $max,
                         <emphasis>bytestring</emphasis> equals to $bytestring
                     </para></listitem>
@@ -336,19 +379,18 @@ $upload->addValidator('Size',
 
             <itemizedlist>
                 <listitem><para>
-                    Old method <acronym>API</acronym>: <methodname>addValidator($validator,
-                        $options, $files)</methodname>.
+                    Old method <acronym>API</acronym>: <methodname>addValidator($validator, $options, $files)</methodname>.
                 </para></listitem>
 
                 <listitem><para>
-                    New method <acronym>API</acronym>: <code>addValidator($validator,
-                        $breakChainOnFailure, $options, $files)</code>.
+                    New method <acronym>API</acronym>: <code>addValidator($validator, $breakChainOnFailure, $options,
+                        $files)</code>.
                 </para></listitem>
             </itemizedlist>
 
             <para>
-                To migrate your scripts to the new <acronym>API</acronym>, simply add a
-                <constant>FALSE</constant> after defining the wished validator.
+                To migrate your scripts to the new <acronym>API</acronym>, simply add a <constant>FALSE</constant>
+                after defining the wished validator.
             </para>
 
             <example id="zend.file.transfer.migration.fromonesixonetoonesixtwo.example">

documentation/manual/en/module_specs/Zend_File_Transfer-Validators.xml

@@ -436,8 +436,8 @@ $upload->addValidator('Count', false, array('min' =>1, 'max' => 5));
 
         <para>
             The <code>Crc32</code> validator checks the content of a transferred file by hashing it.
-            This validator uses the hash extension from <acronym>PHP</acronym> with the crc32
-            algorithm. It supports the following options:
+            This validator uses the hash extension from <acronym>PHP</acronym> with the crc32 algorithm.
+            It supports the following options:
         </para>
 
         <itemizedlist>
@@ -558,14 +558,22 @@ $upload->addValidator('ExcludeExtension',
                     are not to be accepted.
                 </para>
             </listitem>
+
+            <listitem>
+                <para>
+                    <code>headerCheck</code>: If set to <constant>TRUE</constant> this option will
+                    check the <acronym>HTTP</acronym> Information for the file type when the
+                    <emphasis>fileInfo</emphasis> or <emphasis>mimeMagic</emphasis> extensions can
+                    not be found. The default value for this option is <constant>FALSE</constant>.
+                </para>
+            </listitem>
         </itemizedlist>
 
         <para>
-            This validator accepts multiple <acronym>MIME</acronym> types, either as a
-            comma-delimited string, or as an array. You may also use the methods
-            <methodname>setMimeType()</methodname>, <methodname>addMimeType()</methodname>, and
-            <methodname>getMimeType()</methodname> to set and retrieve the <acronym>MIME</acronym>
-            types.
+            This validator accepts multiple <acronym>MIME</acronym> types, either as a comma-delimited string, or as
+            an array. You may also use the methods <methodname>setMimeType()</methodname>,
+            <methodname>addMimeType()</methodname>, and <methodname>getMimeType()</methodname> to
+            set and retrieve the <acronym>MIME</acronym> types.
         </para>
 
         <example id="zend.file.transfer.validators.excludemimetype.example">
@@ -587,19 +595,18 @@ $upload->addValidator('ExcludeMimeType', false, 'image');
         </example>
 
         <para>
-            The above example shows that it is also possible to disallow groups of
-            <acronym>MIME</acronym> types. For example, to disallow all images, just use 'image' as
-            the <acronym>MIME</acronym> type. This can be used for all groups of
-            <acronym>MIME</acronym> types like 'image', 'audio', 'video', 'text', etc.
+            The above example shows that it is also possible to disallow groups of <acronym>MIME</acronym> types.
+            For example, to disallow all images, just use 'image' as the <acronym>MIME</acronym> type. This can be used
+            for all groups of <acronym>MIME</acronym> types like 'image', 'audio', 'video', 'text', etc.
         </para>
 
         <note>
             <para>
-                Note that disallowing groups of <acronym>MIME</acronym> types will disallow all
-                members of this group even if this is not intentional. When you disallow 'image' you
-                will disallow all types of images like 'image/jpeg' or 'image/vasa'. When you are
-                not sure if you want to disallow all types, you should disallow only specific
-                <acronym>MIME</acronym> types instead of complete groups.
+                Note that disallowing groups of <acronym>MIME</acronym> types will disallow all members of this group
+                even if this is not intentional. When you disallow 'image' you will disallow all
+                types of images like 'image/jpeg' or 'image/vasa'. When you are not sure if you want
+                to disallow all types, you should disallow only specific <acronym>MIME</acronym> types instead of
+                complete groups.
             </para>
         </note>
     </sect2>
@@ -912,7 +919,7 @@ $upload->addValidator('IsCompressed', false, 'zip');
         <note>
             <para>
                 Note that there is no check if you set a <acronym>MIME</acronym> type that is not a
-                archive. for example, it would be possible to define gif files to be accepted by
+                archive. For example, it would be possible to define gif files to be accepted by
                 this validator. Using the 'MimeType' validator for files which are not archived will
                 result in more readable code.
             </para>
@@ -949,7 +956,7 @@ $upload->addValidator('IsImage', false, 'jpeg');
         <note>
             <para>
                 Note that there is no check if you set a <acronym>MIME</acronym> type that is not an
-                image. for example, it would be possible to define zip files to be accepted by this
+                image. For example, it would be possible to define zip files to be accepted by this
                 validator. Using the 'MimeType' validator for files which are not images will result
                 in more readable code.
             </para>
@@ -1025,8 +1032,8 @@ $upload->addValidator('Hash',
 
         <para>
             The <code>Md5</code> validator checks the content of a transferred file by hashing it.
-            This validator uses the hash extension for <acronym>PHP</acronym> with the md5
-            algorithm. It supports the following options:
+            This validator uses the hash extension for <acronym>PHP</acronym> with the md5 algorithm.
+            It supports the following options:
         </para>
 
         <itemizedlist>
@@ -1064,15 +1071,15 @@ $upload->addValidator('Md5',
         <title>MimeType Validator</title>
 
         <para>
-            The <code>MimeType</code> validator checks the <acronym>MIME</acronym> type of
-            transferred files. It supports the following options:
+            The <code>MimeType</code> validator checks the <acronym>MIME</acronym> type of transferred files.
+            It supports the following options:
         </para>
 
         <itemizedlist>
             <listitem>
                 <para>
-                    <code>*</code>: Sets any key or use a numeric array. Sets the
-                    <acronym>MIME</acronym> type to validate against.
+                    <code>*</code>: Sets any key or use a numeric array. Sets the <acronym>MIME</acronym> type to
+                    validate against.
                 </para>
 
                 <para>
@@ -1082,6 +1089,15 @@ $upload->addValidator('Md5',
 
             <listitem>
                 <para>
+                    <code>headerCheck</code>: If set to <constant>TRUE</constant> this option will
+                    check the <acronym>HTTP</acronym> Information for the file type when the
+                    <emphasis>fileInfo</emphasis> or <emphasis>mimeMagic</emphasis> extensions can
+                    not be found. The default value for this option is <constant>FALSE</constant>.
+                </para>
+            </listitem>
+
+            <listitem>
+                <para>
                     <code>magicfile</code>: The magicfile to be used.
                 </para>
 
@@ -1220,8 +1236,8 @@ $upload->addValidator('NotExists', false,
 
         <para>
             The <code>Sha1</code> validator checks the content of a transferred file by hashing it.
-            This validator uses the hash extension for <acronym>PHP</acronym> with the sha1
-            algorithm. It supports the following options:
+            This validator uses the hash extension for <acronym>PHP</acronym> with the sha1 algorithm.
+            It supports the following options:
         </para>
 
         <itemizedlist>

library/Zend/Validate/File/ExcludeMimeType.php

@@ -64,7 +64,7 @@ class Zend_Validate_File_ExcludeMimeType extends Zend_Validate_File_MimeType
                 unset($mime);
             } elseif (function_exists('mime_content_type') && ini_get('mime_magic.magicfile')) {
                 $this->_type = mime_content_type($value);
-            } else {
+            } elseif ($this->_headerCheck) {
                 $this->_type = $file['type'];
             }
         }

library/Zend/Validate/File/IsCompressed.php

@@ -106,7 +106,7 @@ class Zend_Validate_File_IsCompressed extends Zend_Validate_File_MimeType
                 unset($mime);
             } elseif (function_exists('mime_content_type') && ini_get('mime_magic.magicfile')) {
                 $this->_type = mime_content_type($value);
-            } else {
+            } elseif ($this->_headerCheck) {
                 $this->_type = $file['type'];
             }
         }

library/Zend/Validate/File/IsImage.php

@@ -110,7 +110,7 @@ class Zend_Validate_File_IsImage extends Zend_Validate_File_MimeType
                 unset($mime);
             } elseif (function_exists('mime_content_type') && ini_get('mime_magic.magicfile')) {
                 $this->_type = mime_content_type($value);
-            } else {
+            } elseif ($this->_headerCheck) {
                 $this->_type = $file['type'];
             }
         }

library/Zend/Validate/File/MimeType.php

@@ -80,6 +80,13 @@ class Zend_Validate_File_MimeType extends Zend_Validate_Abstract
     protected $_magicfile;
 
     /**
+     * Option to allow header check
+     *
+     * @var boolean
+     */
+    protected $_headerCheck = false;
+
+    /**
      * Sets validator options
      *
      * Mimetype to accept
@@ -102,11 +109,15 @@ class Zend_Validate_File_MimeType extends Zend_Validate_Abstract
             $this->setMagicFile($mimetype['magicfile']);
         }
 
+        if (isset($mimetype['headerCheck'])) {
+            $this->enableHeaderCheck(true);
+        }
+
         $this->setMimeType($mimetype);
     }
 
     /**
-     * Returna the actual set magicfile
+     * Returns the actual set magicfile
      *
      * @return string
      */
@@ -137,6 +148,29 @@ class Zend_Validate_File_MimeType extends Zend_Validate_Abstract
     }
 
     /**
+     * Returns the Header Check option
+     *
+     * @return boolean
+     */
+    public function getHeaderCheck()
+    {
+        return $this->_headerCheck;
+    }
+
+    /**
+     * Defines if the http header should be used
+     * Note that this is unsave and therefor the default value is false
+     *
+     * @param  boolean $checkHeader
+     * @return Zend_Validate_File_MimeType Provides fluid interface
+     */
+    public function enableHeaderCheck($headerCheck = true)
+    {
+        $this->_headerCheck = (boolean) $headerCheck;
+        return $this;
+    }
+
+    /**
      * Returns the set mimetypes
      *
      * @param  boolean $asArray Returns the values as array, when false an concated string is returned
@@ -246,7 +280,7 @@ class Zend_Validate_File_MimeType extends Zend_Validate_Abstract
             if (empty($this->_type)) {
                 if (function_exists('mime_content_type') && ini_get('mime_magic.magicfile')) {
                     $this->_type = mime_content_type($value);
-                } else {
+                } elseif ($this->_headerCheck) {
                     $this->_type = $file['type'];
                 }
             }

tests/Zend/Validate/File/ExcludeMimeTypeTest.php

@@ -85,6 +85,7 @@ class Zend_Validate_File_ExcludeMimeTypeTest extends PHPUnit_Framework_TestCase
 
         foreach ($valuesExpected as $element) {
             $validator = new Zend_Validate_File_ExcludeMimeType($element[0]);
+            $validator->enableHeaderCheck();
             $this->assertEquals(
                 $element[1],
                 $validator->isValid(dirname(__FILE__) . '/_files/testsize.mo', $files),
@@ -121,11 +122,11 @@ class Zend_Validate_File_ExcludeMimeTypeTest extends PHPUnit_Framework_TestCase
         $validator->setMimeType('image/jpeg');
         $this->assertEquals('image/jpeg', $validator->getMimeType());
         $this->assertEquals(array('image/jpeg'), $validator->getMimeType(true));
-        
+
         $validator->setMimeType('image/gif, text/test');
         $this->assertEquals('image/gif,text/test', $validator->getMimeType());
         $this->assertEquals(array('image/gif', 'text/test'), $validator->getMimeType(true));
-        
+
         $validator->setMimeType(array('video/mpeg', 'gif'));
         $this->assertEquals('video/mpeg,gif', $validator->getMimeType());
         $this->assertEquals(array('video/mpeg', 'gif'), $validator->getMimeType(true));

tests/Zend/Validate/File/IsCompressedTest.php

@@ -85,6 +85,7 @@ class Zend_Validate_File_IsCompressedTest extends PHPUnit_Framework_TestCase
 
         foreach ($valuesExpected as $element) {
             $validator = new Zend_Validate_File_IsCompressed($element[0]);
+            $validator->enableHeaderCheck();
             $this->assertEquals(
                 $element[1],
                 $validator->isValid(dirname(__FILE__) . '/_files/test.zip', $files),
@@ -121,11 +122,11 @@ class Zend_Validate_File_IsCompressedTest extends PHPUnit_Framework_TestCase
         $validator->setMimeType('image/jpeg');
         $this->assertEquals('image/jpeg', $validator->getMimeType());
         $this->assertEquals(array('image/jpeg'), $validator->getMimeType(true));
-        
+
         $validator->setMimeType('image/gif, text/test');
         $this->assertEquals('image/gif,text/test', $validator->getMimeType());
         $this->assertEquals(array('image/gif', 'text/test'), $validator->getMimeType(true));
-        
+
         $validator->setMimeType(array('video/mpeg', 'gif'));
         $this->assertEquals('video/mpeg,gif', $validator->getMimeType());
         $this->assertEquals(array('video/mpeg', 'gif'), $validator->getMimeType(true));

tests/Zend/Validate/File/IsImageTest.php

@@ -85,6 +85,7 @@ class Zend_Validate_File_IsImageTest extends PHPUnit_Framework_TestCase
 
         foreach ($valuesExpected as $element) {
             $validator = new Zend_Validate_File_IsImage($element[0]);
+            $validator->enableHeaderCheck();
             $this->assertEquals(
                 $element[1],
                 $validator->isValid(dirname(__FILE__) . '/_files/picture.jpg', $files),
@@ -121,11 +122,11 @@ class Zend_Validate_File_IsImageTest extends PHPUnit_Framework_TestCase
         $validator->setMimeType('image/jpeg');
         $this->assertEquals('image/jpeg', $validator->getMimeType());
         $this->assertEquals(array('image/jpeg'), $validator->getMimeType(true));
-        
+
         $validator->setMimeType('image/gif, text/test');
         $this->assertEquals('image/gif,text/test', $validator->getMimeType());
         $this->assertEquals(array('image/gif', 'text/test'), $validator->getMimeType(true));
-        
+
         $validator->setMimeType(array('video/mpeg', 'gif'));
         $this->assertEquals('video/mpeg,gif', $validator->getMimeType());
         $this->assertEquals(array('video/mpeg', 'gif'), $validator->getMimeType(true));

tests/Zend/Validate/File/MimeTypeTest.php

@@ -91,6 +91,7 @@ class Zend_Validate_File_MimeTypeTest extends PHPUnit_Framework_TestCase
             $options   = array_shift($element);
             $expected  = array_shift($element);
             $validator = new Zend_Validate_File_MimeType($options);
+            $validator->enableHeaderCheck();
             $this->assertEquals(
                 $expected,
                 $validator->isValid($filetest, $files),