PHP :: Bug #74318 :: Partially uploaded files are not deleted

Bug #74318	Partially uploaded files are not deleted
Submitted:	2017-03-27 14:53 UTC	Modified:	2017-03-28 11:36 UTC
From:	vobruba dot martin at gmail dot com	Assigned:	ab (profile)
Status:	Closed	Package:	Apache2 related
PHP Version:	7.1.3	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	vobruba dot martin at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2017-03-27 14:53 UTC] vobruba dot martin at gmail dot com

Description:
------------
If you make an incomplete upload request (Content-Length header value is larger than POSTed body) a temporary upload_tmp_dir/php* file won't be deleted after the request is processed by server which is bad because upload_tmp_dir is growing in size.

I think that this is related to this patch https://github.com/php/php-src/pull/2323 because I cannot replicate this problem in 7.1.2.

Test script:
---------------
<?php

$rn = "\r\n";
$boundary = '------------------BOUNDARY';
$fileSize = 5 * 1024 * 1024;	// upload size must be larger than input buffer size
$offset = 1000;	// should cause timeout if distinctly larger than 0
$connectHost = 'CHANGE.THIS.HOST';
$connectPort = 443;
$connectProto = 'ssl';
$requestUri = '/upload.php';

$content  = '--'.$boundary.$rn;
$content .= 'Content-Disposition: form-data; name="file"; filename="test.txt"'.$rn;
$content .= 'Content-Type: application/octet-stream'.$rn.$rn;
$content .= str_repeat('a', $fileSize).$rn;
$content .= '--'.$boundary.'--';

$headers  = 'POST '.$requestUri.' HTTP/1.1'.$rn;
$headers .= 'Host: '.$connectHost.$rn;
$headers .= 'Connection: close'.$rn;
$headers .= 'Content-Length: '.(strlen($content) + $offset).$rn;
$headers .= 'Content-Type: multipart/form-data; boundary='.$boundary.$rn.$rn;


$socket = fsockopen($connectProto.'://'.$connectHost, $connectPort);
fwrite($socket, $headers.$rn.$content);
while(!feof($socket)) {
	echo fread($socket, 1024);
}
fclose($socket);


Expected result:
----------------
Associated upload_tmp_dir/php* file is deleted after the request is processed.

Actual result:
--------------
Associated upload_tmp_dir/php* file is not deleted.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-03-28 06:51 UTC] vobruba dot martin at gmail dot com

BTW I believe this is a security issue because anyone can easily cause a denial of service using this bug.

[2017-03-28 11:36 UTC] ab@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: ab

[2017-03-28 11:36 UTC] ab@php.net

Fixed by reverting 80c8d84af303d2fddc9ba9f181c7117b9040811d, bug #61471 reopened once again.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jan 30 00:01:33 2025 UTC