Fix ValueError: finfo_file() Argument #2 must not be empty

[Copilot]

Problem

The addon was throwing a ValueError when finfo_file() was called with an empty filename parameter:

ValueError: finfo_file(): Argument #2 ($filename) must not be empty
File: redaxo/src/addons/zip_install/lib/zip_install.php
Line: 401

This error occurred in PHP 8.1+ when file uploads failed but the $_FILES array was still populated. In such cases, $uploadedFile['tmp_name'] could be empty, causing finfo_file() to throw a ValueError when attempting to validate the MIME type.

Solution

Added proper validation checks before calling finfo_file() in the handleFileUploadWithResult() method:

1. Upload Error Validation: Check $uploadedFile['error'] to catch PHP upload errors (file size exceeded, incomplete uploads, etc.)
2. Empty Path Validation: Ensure $uploadedFile['tmp_name'] is not empty before using it
3. Security Validation: Use is_uploaded_file() to verify the file was legitimately uploaded via HTTP POST

These checks ensure that MIME type validation is only performed on valid uploaded files, preventing the ValueError and providing better error messages to users.

Changes

• Modified /lib/zip_install.php in the handleFileUploadWithResult() method
• Added 16 lines of validation code before file processing
• Returns appropriate error messages when validation fails

Benefits

• ✅ Fixes the ValueError crash
• ✅ Improves error handling for failed uploads
• ✅ Enhances security by validating uploads more thoroughly
• ✅ Provides better user feedback for upload failures
• ✅ Maintains backward compatibility

Testing

• PHP syntax validation passed
• Manual validation tests confirmed proper handling of:
  • Empty temporary file paths
  • Upload errors (UPLOAD_ERR_*)
  • Valid uploads

Original prompt

---

This section details on the original issue you should resolve

<issue_title>ValueError: finfo_file(): Argument #2 ($filename) must not be empty</issue_title>
<issue_description>ValueError: finfo_file(): Argument #2 ($filename) must not be empty
File: redaxo/src/addons/zip_install/lib/zip_install.php
Line: 401

Stacktrace

Function	File	Line
finfo_file	redaxo/src/addons/zip_install/lib/zip_install.php	401
FriendsOfRedaxo\ZipInstall\ZipInstall->handleFileUploadWithResult	redaxo/src/addons/zip_install/pages/install.packages.zip_install.php	27
require	redaxo/src/core/lib/packages/package.php	233
rex_package->includeFile	redaxo/src/core/lib/be/controller.php	516
rex_be_controller::{closure:rex_be_controller::includePath():498}	redaxo/src/core/lib/util/timer.php	62
rex_timer::measure	redaxo/src/core/lib/be/controller.php	498
rex_be_controller::includePath	redaxo/src/core/lib/be/controller.php	464
rex_be_controller::includeCurrentPageSubPath	redaxo/src/addons/install/pages/index.php	18
require	redaxo/src/core/lib/packages/package.php	233
rex_package->includeFile	redaxo/src/core/lib/be/controller.php	516
rex_be_controller::{closure:rex_be_controller::includePath():498}	redaxo/src/core/lib/util/timer.php	62
rex_timer::measure	redaxo/src/core/lib/be/controller.php	498
rex_be_controller::includePath	redaxo/src/core/lib/be/controller.php	438
rex_be_controller::includeCurrentPage	redaxo/src/core/backend.php	279
require	redaxo/src/core/boot.php	136
require	redaxo/index.php	9

System report (REDAXO 5.20.0, PHP 8.4.13, MySQL 5.7.44)

REDAXO
Version	5.20.0

PHP
Version	8.4.13
OPcache	yes
Xdebug	no

Database
Version	MySQL 5.7.44
Character set	utf8
Warning	Die verwendete MySQL-Version 5.7.44 wird nicht mehr vom Hersteller gepflegt und sollte aktualisiert werden.

Server
OS	Linux
SAPI	cgi-fcgi
Webserver	Apache

Request
Browser	Chrome/141.0.0.0
Protocol	HTTP/2.0
HTTPS	yes

Packages
accessdenied	3.0.0
adminer	3.5.0
api_docs	1.1.0
auto_delete	2.0.1
backup	2.9.3
be_style	3.7.0
be_style/customizer	3.5.0
be_style/redaxo	3.7.0
bloecks	5.2.5
ckeditor	4.20.2
cronjob	2.11.1
developer	3.9.3
install	2.13.1
maintenance	3.4.0 ...

Fixes #53

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR fixes a ValueError that occurs when finfo_file() is called with an empty filename parameter in PHP 8.1+. The error happens when file uploads fail but the $_FILES array still contains entries with empty tmp_name values.

• Added upload error validation to check $uploadedFile['error'] for PHP upload errors
• Added empty path validation to ensure $uploadedFile['tmp_name'] is not empty
• Added security validation using is_uploaded_file() to verify legitimate uploads

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}