Coding standards
Security in ResourceSpace
Developer reference
Database
Action functions
Admin functions
Ajax functions
Annotation functions
API functions
Collections functions
Comment functions
Config functions
CSV export functions
Dash functions
Debug functions
Encryption functions
Facial recognition functions
File functions
General functions
Language functions
Log functions
Login functions
Message functions
Migration functions
Node functions
PDF functions
Plugin functions
Render functions
Reporting functions
Request functions
Research functions
Slideshow functions
Theme permission functions
User functions
Video functions
Database functions
Metadata functions
Resource functions
Search functions
Map functions
Job functions
Tab functions
Test functions

File management (uploads)

Developers must always follow OWASP best practices when it comes to file management. In ResourceSpace, we've tried to abstract some of those practices to help handled these cases in a consistent way.

The following functions are useful when processing files (usually during upload).

  • process_file_upload - (from v10.6) a higher level function which can take a file (already on the server) or HTTP POSTd one and "move" it to your desired destination (usually path generated by get_resource_path). See examples section 
  • parse_filename_extension - (from v10.6) parses a basename to extract the extension out of it. It will handle various cases as recommended by OWASP (e.g. special files like .htaccess, or DOS 8.3 short paths - HTACCE~1)
  • is_banned_extension and check_valid_file_extension - both functions are meant to control what files can be uploaded. Limit the type of files that can be uploaded to only those types that should be allowed (where it's practical to do so).
  • Input validators:
    • is_valid_rs_path()
    • is_valid_upload_path
    • is_safe_basename()

Examples

Usual workflow

$process_file_upload = process_file_upload($_FILES['file'], new SplFileInfo(get_resource_path($ref, true, '')), []);
if (!$process_file_upload['success']) {
    return ['error' => $process_file_upload['error']->i18n($lang)];
}
  • Limit file types (allow list)
    $process_file_upload = process_file_upload($from, $to, ['allow_extensions' => ['csv']]);
  • Copy file (instead of the default - rename)
    $process_file_upload = process_file_upload($from, $to, ['file_move' => 'copy']);

Custom error message

return [
    'error' => match ($process_file_upload['error']) {
        ProcessFileUploadErrorCondition::InvalidExtension => str_replace(
            '%EXTENSIONS',
            'csv',
            $lang['invalidextension_mustbe-extensions']
        ),
        default => $process_file_upload['error']->i18n($lang),
    },
];