move_uploaded_file Fails, copy Works

move_uploaded_file Fails, copy Works

SchautDollarSchautDollar Posts: 21Questions: 6Answers: 1

Hello,

So I'm running into an issue after upgrading the version of Datatables I was using.

I am now on the latest version 2.0.7. I believe I was on version 1.9.2.

After migrating to the latest version, the file upload would fail. I use a custom method to save files.

$editor_field = $editor_field->upload( DataTables\Editor\Upload::inst( function ( $f, $id ) {

    //...
    //Logic to check if file already exists, and generate a name...
    //...

    $uploadfile = $uploaddir .'/'. $file->getFileName();

    $move_file_status = move_uploaded_file($f['tmp_name'], $uploadfile);

    if ($move_file_status) {
        //...
        //Logic to save file info to database
        //...
        return $file->getId();
    }
    return null;
})

This was working fine on version 1.9.2, but after I upgraded to 2.0.7, the files would no longer save, causing move_uploaded_file to return without an error. I ensured file permissions we good and also verified uploads were working via this same logic by using an independent script where move_uploaded_file worked just fine.

After changing

$move_file_status = move_uploaded_file($f['tmp_name'], $uploadfile);

to

$move_file_status = copy($f['tmp_name'], $uploadfile);

the file successfully saves.

I used the Editor Javascript / CSS / Bootstrap 5 styling from the https://datatables.net/download/ page.

Sample Payload:

------WebKitFormBoundaryFuKiGUmGkBSo4l41
Content-Disposition: form-data; name="action"

upload
------WebKitFormBoundaryFuKiGUmGkBSo4l41
Content-Disposition: form-data; name="uploadField"

documents.file_id
------WebKitFormBoundaryFuKiGUmGkBSo4l41
Content-Disposition: form-data; name="upload"; filename="Schaut Tech CGHC Quotes.pdf"
Content-Type: application/pdf


------WebKitFormBoundaryFuKiGUmGkBSo4l41
Content-Disposition: form-data; name="where"

[object Object]
------WebKitFormBoundaryFuKiGUmGkBSo4l41--
------WebKitFormBoundary4kYflPHrIshaPDaB
Content-Disposition: form-data; name="action"

upload
------WebKitFormBoundary4kYflPHrIshaPDaB
Content-Disposition: form-data; name="uploadField"

documents.file_id
------WebKitFormBoundary4kYflPHrIshaPDaB
Content-Disposition: form-data; name="upload"; filename="WP29627673.pdf"
Content-Type: application/pdf


------WebKitFormBoundary4kYflPHrIshaPDaB
Content-Disposition: form-data; name="where"

[object Object]
------WebKitFormBoundary4kYflPHrIshaPDaB--

Response from server (which makes sense, because the file didn't save.)

{"data":[],"files":[],"upload":{"id":null},"debug":[]}

From the PHP documentation:

Description
move_uploaded_file(string $from, string $to): bool
This function checks to ensure that the file designated by from is a valid upload file (meaning that it was uploaded via PHP's HTTP POST upload mechanism). If the file is valid, it will be moved to the filename given by to.

This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.


I suspect move_uploaded_file is not happy with the uploaded file via its checks and won't move over the file.

1) Is there a way I can further troubleshoot the validity of the $f provided by $editor_field->upload to make move_uploaded_file happy?

2) Is there something else I may be doing wrong that could cause this? Incompatible files? I have recently switched to mdbootstrap for theming, although I can still create, edit, etc other datatable tables.

Thank you,
Ryan

This question has an accepted answers - jump to answer

Answers

  • allanallan Posts: 61,038Questions: 1Answers: 9,953 Site admin
    Answer ✓

    Hi Ryan,

    Many thanks for letting me know about this. It looks like it is caused by this pull request. I've reverted it here to address the issue you are seeing. If you grab the latest version of the Upload.php file from github there, and replace your local copy of it, that should do the job!

    Regards,
    Allan

Sign In or Register to comment.