php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #52946 Re-open #50684
Submitted: 2010-09-28 22:10 UTC Modified: 2010-10-04 13:39 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: guy dot paddock at redbottledesign dot com Assigned:
Status: Wont fix Package: PHP options/info functions
PHP Version: 5.2.14 OS: Linux / CentOS 5.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: guy dot paddock at redbottledesign dot com
New email:
PHP Version: OS:

 

 [2010-09-28 22:10 UTC] guy dot paddock at redbottledesign dot com 
Description:
------------
Issue #50684 ("max_file_uploads can't be changed from .htaccess (or ini_set)") 
is currently "closed", but was not satisfactorily resolved. 
"jani@php.net" did not provide a legitimate reason why the "max_file_uploads" 
setting should not be override-able at the apache or .htaccess level.

Since PHP allows other settings like "memory_limit", "max_execution_time", and 
the like to be overridden, it does not make intuitive sense for the 
"max_file_uploads" setting to be left out.

Until this is fixed, we are running with this setting disabled. Meanwhile, other 
developers who have encountered this "feature" of PHP 5.2.12 and later have had 
to resort to ugly, non-standard JavaScript hacks to get around the inherent 
problems with the approach of this setting.

See:
http://allinthehead.com/retro/349/the-curse-of-max_file_uploads

I would dearly like to see this setting not go the way of the ill-fated 
"safe_mode" setting, where it's implemented but no one can use it because it 
isn't useful to anyone in particular.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-04 13:39 UTC] cataphract@php.net
-Status: Open +Status: Wont fix
 [2010-10-04 13:39 UTC] cataphract@php.net 
In my opinion, it would be reasonable to make max_file_uploads PHP_INI_PERDIR. However, other people are concerned this would be too dangerous as users could set it too high and open the server to a temp file exhaustion DOS attack.

In any case, with the implementation of the feature request in bug #50692, the need for this is reduced.

The forum for discussion of non-consensual features is the internals mailing list, so if you feel strongly against the current state of affairs, you may want to bring the issue there.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 05:01:29 2024 UTC