php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50749 max_file_uploads counts empty uploads as well
Submitted: 2010-01-14 13:46 UTC Modified: 2010-10-05 15:23 UTC
From: anzenews at volja dot net Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 5.2.12 OS: Linux
Private report: No CVE-ID: None
 [2010-01-14 13:46 UTC] anzenews at volja dot net
Description:
------------
Setting max_file_uploads limits the number of file input fields on HTML page instead of limiting the number of actually uploaded files.

Reproduce code:
---------------
<form name="formData" action="" enctype="multipart/form-data" method="post">
<?php
 for ($i=0;$i<30;$i++)
 {
   echo "File ".($i+1).":<br />\n".
        '<input name="file_'.$i.'" type="file" /><br />'."\n";
 };
?>
 <input value="OK!" type="submit" />
</form>

<pre>
<?php var_dump($_FILES) ;?>
</pre>

Expected result:
----------------
When you upload a single file (in the LAST!!! input box) and hit "OK!", you should see the uploaded file. 

Actual result:
--------------
Instead you see just 20 empty file uploads. (if max_file_uploads is set to 20, as per default)

The max_file_uploads setting should never count empty files. 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-01-15 08:55 UTC] jani@php.net
Of course it does, that's exactly it's purpose: to limit maximum number of uploads. And yes, even "empty" upload is an upload.
 [2010-01-15 10:15 UTC] anzenews at volja dot net
Then this function is no better than the safe mode, magic quotes and similar fiascos of PHP - useless and will be avoided, at least by me. 

The purpose of this function is to protect the server from DOS attacks. Does the server need many resources to process the empty files? I would guess not. 
On the other hand this is very limiting for forms that wish to have many _optional_ file upload input fields (which was how I stumbled across this bug).

Anyway, I'll just be careful to choose a host with this "feature" turned off in the future, the same as I did with safe mode. :(

Oh, and by the way, turning it on by default in the very first incarnation of this option is not very nice IMHO. It took me quite some time to figure out what is going on since there are almost no pages with this setting described yet. :(
 [2010-01-15 16:03 UTC] rasmus@php.net
The server does actually need resources even for an empty upload 
because we don't necessarily know it is empty until late in the 
request.  We have to create the filename and sit and wait for the data, 
even if none ever comes.  So, from a server resource perspective there 
is very little difference between an empty upload and a non-empty one.
 [2010-08-03 20:32 UTC] phazei at gmail dot com
This is actually very similar  to this bug:
http://bugs.php.net/bug.php?id=50692

That was filed a few days earlier.

Does it take significantly more resources than if someone simply tried to flood the server with a load of input type=text?

Not being able to set this with ini_set (http://bugs.php.net/bug.php?id=50684
) is a big issue as well that makes this an all or none problem rather than setting an exception for an admin page or something similar.
 [2010-10-05 15:23 UTC] cataphract@php.net
Fixed in revision 303970, see request #50692.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Nov 12 08:01:35 2019 UTC