Description
Symfony version(s) affected
6.4., 7.2.
Description
If getting an uploaded file through $request->files which had an uploading error (any of PHP's UPLOAD_ERR_* error except UPLOAD_ERR_NO_FILE), the returned value of UploadedFile::getRealPath is the absolute path of the public/ directory. This is inconsistent with parent class behavior: SplFileInfo::getRealPath should return false if the file does not exist. This could be risky if this value is used directly, without appropriate checkings on the file.
How to reproduce
Reproducer: https://github.com/norival/symfony_reproducer_uploaded_file
- Browse
/upload-file - In the form, select a file within the given size range and submit the form
- The result of
getRealPath()is printed
Possible Solution
This is due to UploadedFile calling the constructor of SplFileInfo with the content of $_FILES['tmp_name'], which is an empty string in that case.
I think it can be easily fixed by overriding getRealPath in UploadedFile, I'll submit a PR.
Additional Context
Dump of SplFileInfo for missing file
Dump of UploadedFile for missing file
