mzur / kirby-form Goto Github PK

Hi there,

thanks for this awesome plugin. I implement an application form with file upload, but unfortunately the csrf validation fails.
This is due to the fact that the Kirby Request object does not parse multipart/form-data encoded form data and hence $token === null in Form.php#157.

Am I missing out on something or is this considered a bug?

Cheerio

Hi there, thanks for this plugin :-)

While upgrading a Kirby installation I found out, that this plugin uses Kirby\Toolkit\F, which has been refactored to Kirby\Filesystem\F in Kirby 3.6. There are aliases available which is why the code still works. However, the aliases might be deleted eventually.

See the changelog under refactoring

Cheerio

The invalid helper seems to exist in Kirby 3. It didn't in the beta versions. But now it can be used to simplify the Validator class.

I noticed an issue with missing csrf tokens[1], when uploading larger files through a public facing form. [2]
After finally looking into the php error log I saw this warning: PHP Warning: POST Content-Length of 19119038 bytes exceeds the limit of 8388608 bytes in Unknown on line 0 and with upping the allowed filesize/post size in php.ini

upload_max_filesize = 64M
post_max_size = 192M

I was good to go.

Unfortunately there is no indication of those limits outside of kirby in the plugin, so I would propose a check for these values, maybe behind the debug flag like kirby itself is doing: https://github.com/getkirby/kirby/blob/04127160ed1ab8dc277763cd8ba4ebc5a097bc18/src/Api/Api.php#L747-L756

if (empty($files) === true) {
    $postMaxSize       = Str::toBytes(ini_get('post_max_size'));
    $uploadMaxFileSize = Str::toBytes(ini_get('upload_max_filesize'));

    if ($postMaxSize < $uploadMaxFileSize) {
        throw new Exception(t('upload.error.iniPostSize'));
    } else {
        throw new Exception(t('upload.error.noFiles'));
    }
}

I would have sent a pull request, but I'm not sure where to place that check.

Maybe this is something to consider. Thanks!

[1] Just for the record, check for token happens here

When using the library with PHP 8.1, it triggers the following deprecation notice:

htmlspecialchars_decode(): Passing null to parameter #1 ($string) of type string is deprecated