PHP :: Request #74882 :: Cannot use ini_set in a flexible manner enough with FrontControllers

Request #74882	Cannot use ini_set in a flexible manner enough with FrontControllers
Submitted:	2017-07-08 14:32 UTC	Modified:	2017-07-08 15:00 UTC
From:	bouvrette dot nicolas at gmail dot com	Assigned:
Status:	Wont fix	Package:	*General Issues
PHP Version:	5.6.31	OS:	All
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bouvrette dot nicolas at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2017-07-08 14:32 UTC] bouvrette dot nicolas at gmail dot com

Description:
------------
When using a single FrontController for a site, it's impossible to leverage .htaccess and/or Apache's vhost to overwrite certain ini_set values.

A good example would be `upload_max_filesize` but there are many others?

Having a FrontController give a lot of flexibility when it comes to dynamic routes and localisation and is becoming more popular with large PHP framework like Symfony and Zend.

Test script:
---------------
See https://serverfault.com/questions/857961/php-value-overrides-with-apache-using-a-front-controller for full details.

Expected result:
----------------
ini_set should be more flexible and allow more overwrites, especially to help with performance when using FrontControllers.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-08 15:00 UTC] requinix@php.net

-Status: Open +Status: Wont fix

[2017-07-08 15:00 UTC] requinix@php.net

Restrictions on when certain settings can be changed are almost always, if not actually always, due to technical or security reasons.

For upload_max_filesize it is the former: file uploads happen before any PHP code is executed. Changing the setting with ini_set is disallowed because it would not do anything. Thus PERDIR is the loosest restriction possible.
Naturally this also applies to other settings related to uploads.

I suggest changing upload_max_filesize for your entire site instead of just the upload directory anyways; consider that a malicious user can attempt an upload to any URL they want, regardless of whether you made a form for them to use or not. Ditto for post_max_size and similar settings.


If you have other restricted settings in mind then I can explain why they are so, and if I can't then they can certainly be revisited.

[2017-07-08 15:05 UTC] spam2 at rhsoft dot net

any script code comes simply way too late for things like upload_max_filesize because the whole upload is already processed

[2017-07-08 21:46 UTC] bouvrette dot nicolas at gmail dot com

Make sense - I will check if this is fixable on the Apache side.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Sep 24 00:00:01 2025 UTC