Skip to content

[3.0] [Form] Forbid PUT + File upload #10541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lyrixx opened this issue Mar 26, 2014 · 6 comments
Closed

[3.0] [Form] Forbid PUT + File upload #10541

lyrixx opened this issue Mar 26, 2014 · 6 comments
Labels
Enhancement Form

Comments

@lyrixx
Copy link
Member

lyrixx commented Mar 26, 2014

Quoting someone else:

HTTP semantics has it that PUT on a resource should replace
the resource with the representation sent in the request. The
resource is expected to have a equivalent, if not bitwise equal,
representation as the request.
See also the lastest HTTP clarifications.

That means that multipart/form-data is usually wrong with PUT.

I understand that the Form component does encourage this, as simply adding a file element is expected to work. But it would be preferable to fix the Form component and forbid mixing PUT with file elements than working around it and against HTTP semantics. ping @webmozart

What you should do instead is PUT the content of your upload to the very same URL that you use to GET it.
Or use POST instead of PUT, because POST has the required semantics.

An other major problem with the proposed patch is that IF the MIME multipart parsing algorithm should be implemented, it should be against the many relevant RFCs, be tested against variations found into the wild, be stream efficient (should not expect that everything fits in memory), etc. Many subjects that the C source code of PHP has implemented, tested and validated in real life situations. But having our own in Symfony is a hard work.

See #10381 (comment)
@mvrhov
Copy link

mvrhov commented Mar 27, 2014

Please DO NOT DO that. We are relaying on that.

@stof stof added the Form label Apr 9, 2014
@webmozart
Copy link
Contributor

We can also do this if we provide an overall strategy for dealing with files in a HTTP compliant way. I'm open for suggestions.

@mvrhov
Copy link

mvrhov commented Apr 9, 2014

The only way this can be done safe is by using POST on the form and then use one of method override options. Header, field in form.

@lyrixx lyrixx changed the title [Form] Forbid PUT + File upload [RFC][Form] Forbid PUT + File upload Apr 9, 2014
@lyrixx
Copy link
Member Author

lyrixx commented Apr 9, 2014

BTW, I edited the issue to add more info. And I added RFC to the title.

@webmozart webmozart changed the title [RFC][Form] Forbid PUT + File upload [3.0] [Form] Forbid PUT + File upload Oct 17, 2014
@vincent-dravert
Copy link

Merci @lyrixx , je commencais a me prendre la tete sur ce sujet pour un vieux projet. J'espere que tu vas bien. Cheers.

@lyrixx
Copy link
Member Author

lyrixx commented Jun 21, 2017

I don't think it's useful to keep this issue open. I'm closing it.
But We can re-open it if someone want to.

@lyrixx lyrixx closed this as completed Jun 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement Form
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@webmozart @lyrixx @stof @mvrhov @vincent-dravert