validateForm() method is not implemented which allows to load any kind of file to parse. Here is example, the most simplistic implementation which allows you to improve security of this module:
public function validateForm(array &$form, FormStateInterface $form_state) {
$this->file = file_save_upload('csv_file', $form['csv']['csv_file']['#upload_validators'], FALSE, 0);
if (!$this->file) {
$form_state->setErrorByName('csv_file', $this->t('Provided file is not a CSV file or is corrupted.'));
}
}
IMHO module should be avoided until it is fixed as module introduces high security risk.
Comments
Comment #2
steffenrHi @spectatorx - i added a patch containing the validateForm you mentioned.
I also changed the use of the $_FILES array while uploading. All data is available via $this->file and can be used in createNode function.
Comment #3
steffenrComment #4
davy duthoit commentedTested, everything seems fine.
The wrong file extensions throw an error:
Comment #5
davy duthoit commentedComment #6
avpadernoComment #7
dhayanandan_k commentedPatch applied and verified. Please check and close this issue