security #5287 Add a caution to the getUploadRootDir Doctrine (anacic…

…coni) This PR was merged into the 2.3 branch. Discussion ---------- Add a caution to the getUploadRootDir Doctrine | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | #4177 Commits ------- a80d669 Add a caution to the getUploadRootDir - correction 69475d0 Adding a caution to the getUploadRootDir() method
symfony · Jun 11, 2015 · eb17948 · eb17948
2 parents 4566d33 + a80d669
commit eb17948
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/cookbook/doctrine/file_uploads.rst b/cookbook/doctrine/file_uploads.rst
@@ -99,6 +99,13 @@ file.
     If you're using annotations to specify your validation rules (as shown
     in this example), be sure that you've enabled validation by annotation
     (see :ref:`validation configuration <book-validation-configuration>`).
+
+.. caution::
+
+   If you use the ``getUploadRootDir()`` method, be aware that this will save 
+   the file inside the document root, which can be accessed by everyone. 
+   Consider placing it out of the document root and adding custom viewing 
+   logic when you need to secure the files.
 
 To handle the actual file upload in the form, use a "virtual" ``file`` field.
 For example, if you're building your form directly in a controller, it might