php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33666 "MAX_FILE_SIZE" can not be smaller than 1024*5
Submitted: 2005-07-12 17:22 UTC Modified: 2005-07-12 17:51 UTC
From: cb dot utblog at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.1.0b2 OS: Redhat 8.0
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cb dot utblog at gmail dot com
New email:
PHP Version: OS:

 

 [2005-07-12 17:22 UTC] cb dot utblog at gmail dot com
Description:
------------
when uploading a file, in the post form, there's a hidden zone: <input type="hidden" name="MAX_FILE_SIZE" value="100">.
The value of "MAX_FILE_SIZE" equals 10(bytes) here, it doesn't work.

actually, whenever if MAX_FILE_SIZE is setted to be less than 1024*5, it doesn't works. the file will be uploaded and stored without error.

What does 1024*5 mean? it's size of buffer to get file data from multi-part body (FILLUNIT).

The mistake comes from here: 
in main/rfc1867.c, 
function "SAPI_POST_HANDLER_FUNC"
it compares how many bytes have read (total_bytes) to "MAX_FILE_SIZE" after reading again but before increasing total_bytes.


Reproduce code:
---------------
			while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff) TSRMLS_CC)))
			{
//>> UP TO 1025*5 BYTES HAS BEEN READ
				if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {
#if DEBUG_FILE_UPLOAD
					sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
#endif
					cancel_upload = UPLOAD_ERROR_A;
				} else if (max_file_size && (total_bytes > max_file_size)) {
//>> COMPARE total_bytes TO max_file_size BEFORE INCREASING total_bytes 
#if DEBUG_FILE_UPLOAD
					sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
#endif
					cancel_upload = UPLOAD_ERROR_B;
				} else if (blen > 0) {
					wlen = write(fd, buff, blen);
			
					if (wlen < blen) {
#if DEBUG_FILE_UPLOAD
						sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
#endif
						cancel_upload = UPLOAD_ERROR_C;
					} else {
//>> CHANGE total_bytes HERE, IT'S TOO LATE
						total_bytes += wlen;
					}
				} 
			}
			if (fd!=-1) { /* may not be initialized if file could not be created */
				close(fd);
			}



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-12 17:51 UTC] sniper@php.net
And answer to this is pretty simple: To even get the value of that you have to read certain amount of data..

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Sep 17 22:01:28 2024 UTC