php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #15886 rfc1867 file uploads should consider Content-length header
Submitted: 2002-03-05 15:14 UTC Modified: 2013-10-28 21:15 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: j dot kase at privador dot com Assigned: krakjoe (profile)
Status: Closed Package: *General Issues
PHP Version: 4.2.0 OS: Win2000 (also tested on Linux)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: j dot kase at privador dot com
New email:
PHP Version: OS:

 

 [2002-03-05 15:14 UTC] j dot kase at privador dot com 
The RFC1867 compatible file upload feature in PHP is odd to use and has some shortcomings. Following are the issues that I would like to be changed (or maybe commented if I have just overlooked something):

* Content-length header should be considered.

When uploading a file, browsers usually supply a Content-length header with it, indicating the total size of posted data. The upload feature should consider it and compare it to post_max_size and upload_max_filesize configuration settings and maybe also the MAX_FILE_SIZE hidden field present in the form. When Content-length > (smallest of the three), the upload should terminate immediately and some sensible error returned to the user without ever receiving the full file. Also, when someone has played around with the incoming stream, upload should terminate IF content-length is small but the incoming byte stream is larger than the permitted values (i.e. limit is 2MB, and 2MB out of 100MB file has been uploaded, should terminate immediately and not wait until the end of 100MB).

* MAX_FILE_SIZE has no effect

It is said in the doc that the field is "advisory to the browser", but I have not found out what it is about. At least in case of IE 5.5 and Opera 6.01 it has NO effect. As said above, one application for this variable should be that when accepting an incoming upload, the engine should compare this variable to the value of the Content-length header and immediately terminate upload if Content-length > MAX_FILE_SIZE.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-04 07:25 UTC] sniper@php.net 
This stuff should be fixed in PHP 4.2.0 (RCs can be found at http://www.php.net/~derick/ )
 [2002-04-29 13:01 UTC] j dot kase at privador dot com 
Still remains with 4.2.0 at least on Windows - upload does not terminate until the whole file has been uploaded, even if the file size exceeds all the specified limits. My original idea was: if uploaded file size (i.e. Content-Length) is bigger than any of the limits, immediately terminate the upload without accepting further content.
 [2013-10-28 21:14 UTC] krakjoe@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2013-10-28 21:15 UTC] krakjoe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2013-10-28 21:15 UTC] krakjoe@php.net 
This has been fixed sometime in the past; the content-length is now checked before multi-part uploads are read from input.

Closing request.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Jun 15 09:01:29 2024 UTC