Merge pull request yiisoft#1083 from samdark/CFileValidator-allowEmpt…

…y-null

yiisoft#1083: CFileValidator is now unsafe by default. This will prevent setting attribute when no file was uploaded

CHANGELOG

@@ -8,6 +8,7 @@ Version 1.1.12 work in progress
 - Bug #1077: Fixed the problem with alias in CSort (creocoder)
 - Bug #1072: Fixed the problem with getTableAlias() in defaultScope() (creocoder)
 - Bug #1066: CMemCache: expiration time higher than 60*60*24*30 (31536000) seconds led the value to expire right away after saving (resurtm)
+- Bug #1083: CFileValidator is now unsafe by default. This will prevent setting attribute when no file was uploaded (samdark)
 - Bug #1087: Reverted changes to CCookieCollection::add() introduced in 1.1.11 as they were triggering E_STRICT on some old PHP-versions (suralc)
 - Bug #1088: Fixed usage of proper CActiveForm id property when it's supplied with htmlOptions (mdomba)
 - Bug #1094: CGridView with enabled history used to clear page title in case sorting or paging performed (Opera and Firefox only) (resurtm)

framework/validators/CFileValidator.php

@@ -38,18 +38,18 @@
  *
  * You can use {@link CFileValidator} to validate the file attribute.
  *
- * In addition to the {@link message} property for setting a custom error message, 
+ * In addition to the {@link message} property for setting a custom error message,
  * CFileValidator has a few custom error messages you can set that correspond to different
  * validation scenarios. When the file is too large, you may use the {@link tooLarge} property
- * to define a custom error message. Similarly for {@link tooSmall}, {@link wrongType} and 
- * {@link tooMany}. The messages may contain additional placeholders that will be replaced 
- * with the actual content. In addition to the "{attribute}" placeholder, recognized by all 
- * validators (see {@link CValidator}), CFileValidator allows for the following placeholders 
+ * to define a custom error message. Similarly for {@link tooSmall}, {@link wrongType} and
+ * {@link tooMany}. The messages may contain additional placeholders that will be replaced
+ * with the actual content. In addition to the "{attribute}" placeholder, recognized by all
+ * validators (see {@link CValidator}), CFileValidator allows for the following placeholders
  * to be specified:
  * <ul>
  * <li>{file}: replaced with the name of the file.</li>
- * <li>{limit}: when using {@link tooLarge}, replaced with {@link maxSize}; 
- * when using {@link tooSmall}, replaced with {@link minSize}; and when using {@link tooMany} 
+ * <li>{limit}: when using {@link tooLarge}, replaced with {@link maxSize};
+ * when using {@link tooSmall}, replaced with {@link minSize}; and when using {@link tooMany}
  * replaced with {@link maxFiles}.</li>
  * <li>{extensions}: when using {@link wrongType}, it will be replaced with the allowed extensions.</li>
  * </ul>
@@ -130,6 +130,12 @@ class CFileValidator extends CValidator
 	 * limit.
 	 */
 	public $tooMany;
+	/**
+	 * @var boolean whether attributes listed with this validator should be considered safe for massive assignment.
+	 * For this validator it defaults to false.
+	 * @since 1.1.12
+	 */
+	public $safe=false;
 
 	/**
 	 * Set the attribute and then validates using {@link validateFile}.