From 869dac5146e1ef7fd6853d8962ef3ca16e731d27 Mon Sep 17 00:00:00 2001 From: Sergey Panteleev Date: Tue, 23 Nov 2021 11:02:54 +0300 Subject: [PATCH 1/3] [PHP 8.1] Documentation full_path entry of $_FILES --- features/file-upload.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/features/file-upload.xml b/features/file-upload.xml index 0da46e3a5e3c..359f1317ae70 100644 --- a/features/file-upload.xml +++ b/features/file-upload.xml @@ -132,6 +132,15 @@ + + $_FILES['userfile']['full_path'] + + + The full path as submitted by the browser. + Available as of PHP 8.1.0. + + + @@ -462,6 +471,37 @@ foreach ($_FILES["pictures"]["error"] as $key => $error) { try to upload more files in one request than this limit. + + + Uploading an entire directory + + In HTML file upload fields, it is possible to upload an entire directory with the webkitdirectory attribute. + This feature is supported in most modern browsers. + + + With the full_path information, it is possible to store the relative paths, + or reconstruct the same directory in the server. + + + + Send this directory:
+ + + +]]> + + + + + + PHP only parses the relative path information submitted by the browser/user-agent, + and passes that information to the $_FILES array. + There is no guarantee that the values in the full_path array contains a real directory structure, + and the PHP applications must not trust this information. + + + From cc7ea931913bea8218a1a114e0281182e04fb8da Mon Sep 17 00:00:00 2001 From: Sergey Panteleev Date: Thu, 9 Dec 2021 09:18:34 +0300 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Yoshinari Takaoka Co-authored-by: Christoph M. Becker --- features/file-upload.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/features/file-upload.xml b/features/file-upload.xml index 359f1317ae70..d36fb3f6cb8d 100644 --- a/features/file-upload.xml +++ b/features/file-upload.xml @@ -136,7 +136,7 @@ $_FILES['userfile']['full_path'] - The full path as submitted by the browser. + The full path as submitted by the browser. This value does not always contain a real directory structure, and cannot be trusted. Available as of PHP 8.1.0. @@ -498,7 +498,7 @@ foreach ($_FILES["pictures"]["error"] as $key => $error) { PHP only parses the relative path information submitted by the browser/user-agent, and passes that information to the $_FILES array. There is no guarantee that the values in the full_path array contains a real directory structure, - and the PHP applications must not trust this information. + and the PHP application must not trust this information. From 3c7b2c005675daeea92e6f84565e94ebfb28f15f Mon Sep 17 00:00:00 2001 From: Sergey Panteleev Date: Thu, 9 Dec 2021 09:28:46 +0300 Subject: [PATCH 3/3] add warning about non-standard feature --- features/file-upload.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/features/file-upload.xml b/features/file-upload.xml index d36fb3f6cb8d..e69a7a61c3a8 100644 --- a/features/file-upload.xml +++ b/features/file-upload.xml @@ -494,6 +494,11 @@ foreach ($_FILES["pictures"]["error"] as $key => $error) { + + The webkitdirectory attribute is non-standard and is not on a standards track. + Do not use it on production sites facing the Web: it will not work for every user. + There may also be large incompatibilities between implementations and the behavior may change in the future. + PHP only parses the relative path information submitted by the browser/user-agent, and passes that information to the $_FILES array.