fix adminhtml file attribute edit form

[fsw]

fixes #11252

Description

not sure why this line was introduced as the only place this function is used seems to be here:

magento2/app/code/Magento/Customer/Model/FileUploader.php

Line 110 in 55e9a5c

$result = $fileProcessor->saveTemporaryFile($this->scope . '[' . $this->getAttributeCode() . ']');

and it uses 'path' key right after call.
hence no tests are included.

Fixed Issues (if relevant)

1. Custom attribute - File not allowing uploads #11252: Custom attribute - File not allowing uploads

Manual testing scenarios

1. Create customer attribute with type file
2. Got to Customer edit form Account Information tab
3. Upload works instead of showing error

[magento-cicd2]

All committers have signed the CLA.

[orlangur]

It was added for security reasons: https://github.com/magento/magento2/blame/2.2-develop/app/code/Magento/Customer/Model/FileProcessor.php#L184

Please figure out another way to fix bug you faced with.

[fsw]

Hi @orlangur,
Thanks for your reply.

Maybe I am missing something but only place in CE and EE I am seeing that is using this function is this place:

magento2/app/code/Magento/Customer/Model/FileUploader.php

Line 110 in 55e9a5c

$result = $fileProcessor->saveTemporaryFile($this->scope . '[' . $this->getAttributeCode() . ']');

And it is using 'path' right after and If I see correctly it is using it to create file path to validate it later. So it needs this data.

Path can be unset after that (in FileUploader::upload()) but without knowing what the security issue was I can only guess, Is MAGETWO-70580 an internal ticket number? Can we know exactly what issue this change fixed?
Otherwise I have no other ideas.

cheers.

[orlangur]

So, basically, initial security fix needs to be revised which was reverted by changes in this PR and the correct way of fix needs to be understood.

Unassigning from myself for now, will check it again when I have some spare time.

[omiroshnichenko]

Hi, @fsw. After debugging I found that path used only here. In comment says that tmp_name required for attribute validation, but validation performs before this assignment. So, after I removed usage of $result['path'], in line that I mentioned before, it works correct. Could you please revert your changes and remove usage of $result['path']?

[fsw]

Hi @omiroshnichenko, by "remove usage of $result['path']" do you mean to remove pointed line at all or to change it to something like this:

    $result['tmp_name'] = ltrim($result['file'], '/');

If I recall correctly when I did this and uploaded file via admin form it indeed broke saying tmp_name is undefined or something like that but I can't recall exactly. So I think it is indeed used for some validation.

Anyway I added you as collaborator so please feel free to do whatever you like with this PR or create a new one.

cheers.