-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi victor,
i think the best strategy would be:
keep the default (persist), but add your max size idea (if total size is
> limit, delete older files until in limit again) or just have a max age
(delete everything older than i.e. an hour) with again a default value.
this will give less than optimal performance, but good usability out of
the box.
the guide for the file upload section should explain how to disable the
max size / max age check in the form upload and run a cleanup command
(the framework could again contain two simple commands for deleting
everything older than some timespan ("-1 hour", -5 hours", "-1 day"...))
against file upload attacks, something more sophisticated will be needed.
cheers,david
Am 02.05.2011 14:36, schrieb Victor Berchet:
> I would like to initiate a discussion on file uploading with the form
> framework.
>
> The current default behavior is to persist uploaded files across
> requests (when forms are binded).
> This is cool because when the forms do not pass validation the user
> doesn't have to select the file again, it is persisted.
>
> The current file input template does not show persisted file, some
> more work is needed here.
>
> One problem I can imagine is that it becomes very easy to fill the
> server disk with uploaded files: PHP usually cleans uploaded files
> that don't get move during the request however the form framework
> behavior is to move uploaded files to a TemporaryStorage, so you would
> have to do the cleaning yourself (for the files that eventually don't
> get moved out of the TemporaryStorage).
>
> There are several solutions I can think of to improve the current
> behavior:
> - Have the file persistence as an option and disable it by default -
> then you're more likely to think about the required cleaning when you
> explicitly enable persistency,
> - Implement a "max size" option in the TemporaryStorage class. When
> this limit is reached older files would automatically be deleted.
>
> Any thoughts on the problem, the proposed solutions, any other
> solutions ?
>
> Note:
> I only have some limited knowledge / experience with the new form
> framework, do not hesitate to correct me if something is wrong.
>
- --
Liip AG // Agile Web Development // T +41 26 422 25 11
CH-1700 Fribourg // PGP 0xA581808B // www.liip.ch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2+tGEACgkQqBnXnqWBgIuC5ACdGUoSPWfp3aT5Gz2gyeAjRPjk
3Q0AoMCbRj4GsGhAjmAZWDX+RU6++MWS
=qAZL
-----END PGP SIGNATURE-----
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
