Description:
------------
Suggestion: Don't create temporary files when receiving a "multipart/form-data" POST until they are needed by the PHP code. This is an alternative solution to CVE-2009-4017 that does not require a max_file_uploads limit.

My understanding of the current function of RFC-1867 (Form-based File Upload in HTML) is that the list of files and the data for the files is sent before there is any processing of the PHP code in the requested page. (And regardless if the Apache-httpd server is PHP enabled or not?) However, a PHP enabled server controls the response to the POST request and with the max_file_uploads limit it will not process any more files than what it's limited to.

My question is: Isn't there a way to go even further and not respond to the file uploads in the POST request until it's needed in the PHP code? I.e. by only asking for file data when an element in $_FILES is requested by the PHP code? For example, when $_FILES[#] or $_FILES[#]["tmp_name"] is accessed in the PHP code (with move_uploaded_file or otherwise), the PHP execution halts and waits for that file to be uploaded, and so on with the other files. That way the vulnerability would be solved and there wouldn't be a need for the max_file_uploads limit. Or is there no two-way communication so that files are submitted one at a time from the client regardless of the response from the server (so that this solution is not possible)?

Reproduce code:
---------------
Page request with File Upload

Expected result:
----------------
Files are only created on the server when they are needed in the PHP code

Actual result:
--------------
Files are created on the server regardless if they are needed in the PHP code or not