Menu
I am currently trying to let Symfonys Validator Component handle the validation of uploaded files, which works perfectly fine for normal files. However, if files are above a certain size they are uploaded as chunks, which are then merged and then validated. Both ways to upload are validated by the same function, which basically just looks like this:
public function validateFile(UploadedFile $uploadedFile): ConstraintViolationList {
return $this->validator->validate(
$uploadedFile,
[
new FileConstraints([
'maxSize' => '1000M',
]),
]
);
}
But somehow, the merged uploads trigger a violation, which, unfortunately, is quite uninformative to me:
Symfony\Component\Validator\ConstraintViolation {#658 ▼
-message: "The file could not be uploaded."
-messageTemplate: "The file could not be uploaded."
-parameters: []
-plural: null
-root: Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▶}
-propertyPath: ""
-invalidValue: Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▶}
-constraint: Symfony\Component\Validator\Constraints\File {#649 ▶}
-code: "0"
-cause: null
}
The logs are clean, no errors, only INFO regarding matched routes and deprecated stuff aswell as DEBUG regarding authentificastion tokens and such.
If I dump'n'die the UploadedObjects the only difference is that the chunked & merged one has executable: true and that its not stored in tmp.
Can someone here explain to me what causes this violation and what has to be done to prevent it or point me to some documentation regarding that?
EDIT: The upload of chunks and the merging seems to work perfectly fine - uploaded images can be viewed, text docs/pdfs can be read etc. Also used all the other code for quite a while now with different validation, just wanted to make everything a bit more pro and sorted by using the existing Validator infrastructure. To provide additional info regarding the uploaded objects, here the dd output, starting with regular file upload:
Symfony\Component\HttpFoundation\File\UploadedFile {#20 ▼
-test: false
-originalName: "foo.jpg"
-mimeType: "image/jpeg"
-error: 0
path: "/tmp"
filename: "phpEu7Xmw"
basename: "phpEu7Xmw"
pathname: "/tmp/phpEu7Xmw"
extension: ""
realPath: "/tmp/phpEu7Xmw"
aTime: 2021-05-27 10:47:56
mTime: 2021-05-27 10:47:54
cTime: 2021-05-27 10:47:54
inode: 1048589
size: 539474
perms: 0100600
owner: 1000
group: 1000
type: "file"
writable: true
readable: true
executable: false
file: true
dir: false
link: false
}
For chunked upload:
Symfony\Component\HttpFoundation\File\UploadedFile {#647 ▼
-test: false
-originalName: "foo.jpg"
-mimeType: "image/jpeg"
-error: 0
path: "/home/vagrant/MyProject/var/uploads"
filename: "foo.jpg"
basename: "foo.jpg"
pathname: "/home/vagrant/MyProject/var/uploads/foo.jpg"
extension: "jpg"
realPath: "/home/vagrant/MyProject/var/uploads/foo.jpg"
aTime: 2021-05-27 10:43:58
mTime: 2021-05-27 10:43:58
cTime: 2021-05-27 10:43:58
inode: 8154
size: 539474
perms: 0100777
owner: 1000
group: 1000
type: "file"
writable: true
readable: true
executable: true
file: true
dir: false
link: false
}
278
asked Jan 23 '26 19:01
When the File constraint receives an UploadedFile instance, it triggers a call to isValid, which in turn calls is_uploaded_file:
Returns true if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working
After reassembling the chunks into a new file this check no longer passes and the constraint fails.
You could use your last file fragment to reassemble the original file or you could return a File from your function. File is not subject to that check, and the constraint will accept it along with UploadedFile.
190
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
