|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33666 "MAX_FILE_SIZE" can not be smaller than 1024*5
Submitted: 2005-07-12 17:22 UTC Modified: 2005-07-12 17:51 UTC
From: cb dot utblog at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.1.0b2 OS: Redhat 8.0
Private report: No CVE-ID: None
 [2005-07-12 17:22 UTC] cb dot utblog at gmail dot com
when uploading a file, in the post form, there's a hidden zone: <input type="hidden" name="MAX_FILE_SIZE" value="100">.
The value of "MAX_FILE_SIZE" equals 10(bytes) here, it doesn't work.

actually, whenever if MAX_FILE_SIZE is setted to be less than 1024*5, it doesn't works. the file will be uploaded and stored without error.

What does 1024*5 mean? it's size of buffer to get file data from multi-part body (FILLUNIT).

The mistake comes from here: 
in main/rfc1867.c, 
it compares how many bytes have read (total_bytes) to "MAX_FILE_SIZE" after reading again but before increasing total_bytes.

Reproduce code:
			while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff) TSRMLS_CC)))
				if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {
					sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
					cancel_upload = UPLOAD_ERROR_A;
				} else if (max_file_size && (total_bytes > max_file_size)) {
//>> COMPARE total_bytes TO max_file_size BEFORE INCREASING total_bytes 
					sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
					cancel_upload = UPLOAD_ERROR_B;
				} else if (blen > 0) {
					wlen = write(fd, buff, blen);
					if (wlen < blen) {
						sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
						cancel_upload = UPLOAD_ERROR_C;
					} else {
//>> CHANGE total_bytes HERE, IT'S TOO LATE
						total_bytes += wlen;
			if (fd!=-1) { /* may not be initialized if file could not be created */


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-12 17:51 UTC]
And answer to this is pretty simple: To even get the value of that you have to read certain amount of data..

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Sep 28 09:01:24 2023 UTC