php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #52946 Re-open #50684
Submitted: 2010-09-28 22:10 UTC Modified: 2010-10-04 13:39 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: guy dot paddock at redbottledesign dot com Assigned:
Status: Wont fix Package: PHP options/info functions
PHP Version: 5.2.14 OS: Linux / CentOS 5.2
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-09-28 22:10 UTC] guy dot paddock at redbottledesign dot com
Description:
------------
Issue #50684 ("max_file_uploads can't be changed from .htaccess (or ini_set)") 
is currently "closed", but was not satisfactorily resolved. 
"jani@php.net" did not provide a legitimate reason why the "max_file_uploads" 
setting should not be override-able at the apache or .htaccess level.

Since PHP allows other settings like "memory_limit", "max_execution_time", and 
the like to be overridden, it does not make intuitive sense for the 
"max_file_uploads" setting to be left out.

Until this is fixed, we are running with this setting disabled. Meanwhile, other 
developers who have encountered this "feature" of PHP 5.2.12 and later have had 
to resort to ugly, non-standard JavaScript hacks to get around the inherent 
problems with the approach of this setting.

See:
http://allinthehead.com/retro/349/the-curse-of-max_file_uploads

I would dearly like to see this setting not go the way of the ill-fated 
"safe_mode" setting, where it's implemented but no one can use it because it 
isn't useful to anyone in particular.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-04 13:39 UTC] cataphract@php.net
-Status: Open +Status: Wont fix
 [2010-10-04 13:39 UTC] cataphract@php.net
In my opinion, it would be reasonable to make max_file_uploads PHP_INI_PERDIR. However, other people are concerned this would be too dangerous as users could set it too high and open the server to a temp file exhaustion DOS attack.

In any case, with the implementation of the feature request in bug #50692, the need for this is reduced.

The forum for discussion of non-consensual features is the internals mailing list, so if you feel strongly against the current state of affairs, you may want to bring the issue there.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 10:01:27 2019 UTC