php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #7565 upload_max_filesize doesn't work correctly
Submitted: 2000-11-01 06:10 UTC Modified: 2000-12-18 11:36 UTC
From: dwakelin at madge dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 4.0.1pl2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dwakelin at madge dot com
New email:
PHP Version: OS:

 

 [2000-11-01 06:10 UTC] dwakelin at madge dot com 
If I set upload_max_filesize=20000000 (in php.ini) and I try to upload a 80 Meg file I do get an error but only after the whole 80 Meg has been loaded into the httpd process (not into a temporary file but into the address space of the Apache server).

The system I'm running PHP on only has 32 Meg of memory so an 80 Meg process does it no good at all. I've also tried memory_limit=20000000 (in php.ini) but that doesn't catch the problem.

This is with php 4.0.1pl2 (and 3.0.12) running on RedHat Linux 6.1 and Apache 1.3.12

I think the problem lies in "sapi_read_standard_form_data" from main\SAPI.c. The function loops around until it has loaded the entire data into memory before passing it onto the rfc1867 code to reject it with "Max file size of 20000000  bytes exceeded - file [uploadFile]".

This behaviour makes my server susceptible to a denial of service attack just by uploading a 140 Meg file the system runs out of memory and swap space and slowly grinds to a halt.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-12-18 11:36 UTC] sniper@php.net 
Change it to 2M instead. And use PHP 4.0.3pl1 instead..

--Jani
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue May 06 09:01:28 2025 UTC