Fabien: I have created: - one ticket for the max size option: http://trac.symfony-project.org/ticket/9747 - one ticket for the widget template: http://trac.symfony-project.org/ticket/9748
Dave, Having a max age is a good idea for regular cleaning. However it would not help an attack where the files would be uploaded over a short period of time. Cheers, Victor On May 2, 3:40 pm, David Buchmann <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hi victor, > > i think the best strategy would be: > > keep the default (persist), but add your max size idea (if total size is> > limit, delete older files until in limit again) or just have a max age > > (delete everything older than i.e. an hour) with again a default value. > this will give less than optimal performance, but good usability out of > the box. > > the guide for the file upload section should explain how to disable the > max size / max age check in the form upload and run a cleanup command > (the framework could again contain two simple commands for deleting > everything older than some timespan ("-1 hour", -5 hours", "-1 day"...)) > > against file upload attacks, something more sophisticated will be needed. > > cheers,david > > Am 02.05.2011 14:36, schrieb Victor Berchet: > > > > > > > > > > > I would like to initiate a discussion on file uploading with the form > > framework. > > > The current default behavior is to persist uploaded files across > > requests (when forms are binded). > > This is cool because when the forms do not pass validation the user > > doesn't have to select the file again, it is persisted. > > > The current file input template does not show persisted file, some > > more work is needed here. > > > One problem I can imagine is that it becomes very easy to fill the > > server disk with uploaded files: PHP usually cleans uploaded files > > that don't get move during the request however the form framework > > behavior is to move uploaded files to a TemporaryStorage, so you would > > have to do the cleaning yourself (for the files that eventually don't > > get moved out of the TemporaryStorage). > > > There are several solutions I can think of to improve the current > > behavior: > > - Have the file persistence as an option and disable it by default - > > then you're more likely to think about the required cleaning when you > > explicitly enable persistency, > > - Implement a "max size" option in the TemporaryStorage class. When > > this limit is reached older files would automatically be deleted. > > > Any thoughts on the problem, the proposed solutions, any other > > solutions ? > > > Note: > > I only have some limited knowledge / experience with the new form > > framework, do not hesitate to correct me if something is wrong. > > - -- > Liip AG // Agile Web Development // T +41 26 422 25 11 > CH-1700 Fribourg // PGP 0xA581808B //www.liip.ch > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/ > > iEYEARECAAYFAk2+tGEACgkQqBnXnqWBgIuC5ACdGUoSPWfp3aT5Gz2gyeAjRPjk > 3Q0AoMCbRj4GsGhAjmAZWDX+RU6++MWS > =qAZL > -----END PGP SIGNATURE----- -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
