php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74318 Partially uploaded files are not deleted
Submitted: 2017-03-27 14:53 UTC Modified: 2017-03-28 11:36 UTC
From: vobruba dot martin at gmail dot com Assigned: ab (profile)
Status: Closed Package: Apache2 related
PHP Version: 7.1.3 OS:
Private report: No CVE-ID: None
 [2017-03-27 14:53 UTC] vobruba dot martin at gmail dot com
Description:
------------
If you make an incomplete upload request (Content-Length header value is larger than POSTed body) a temporary upload_tmp_dir/php* file won't be deleted after the request is processed by server which is bad because upload_tmp_dir is growing in size.

I think that this is related to this patch https://github.com/php/php-src/pull/2323 because I cannot replicate this problem in 7.1.2.

Test script:
---------------
<?php

$rn = "\r\n";
$boundary = '------------------BOUNDARY';
$fileSize = 5 * 1024 * 1024;	// upload size must be larger than input buffer size
$offset = 1000;	// should cause timeout if distinctly larger than 0
$connectHost = 'CHANGE.THIS.HOST';
$connectPort = 443;
$connectProto = 'ssl';
$requestUri = '/upload.php';

$content  = '--'.$boundary.$rn;
$content .= 'Content-Disposition: form-data; name="file"; filename="test.txt"'.$rn;
$content .= 'Content-Type: application/octet-stream'.$rn.$rn;
$content .= str_repeat('a', $fileSize).$rn;
$content .= '--'.$boundary.'--';

$headers  = 'POST '.$requestUri.' HTTP/1.1'.$rn;
$headers .= 'Host: '.$connectHost.$rn;
$headers .= 'Connection: close'.$rn;
$headers .= 'Content-Length: '.(strlen($content) + $offset).$rn;
$headers .= 'Content-Type: multipart/form-data; boundary='.$boundary.$rn.$rn;


$socket = fsockopen($connectProto.'://'.$connectHost, $connectPort);
fwrite($socket, $headers.$rn.$content);
while(!feof($socket)) {
	echo fread($socket, 1024);
}
fclose($socket);


Expected result:
----------------
Associated upload_tmp_dir/php* file is deleted after the request is processed.

Actual result:
--------------
Associated upload_tmp_dir/php* file is not deleted.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-28 06:51 UTC] vobruba dot martin at gmail dot com
BTW I believe this is a security issue because anyone can easily cause a denial of service using this bug.
 [2017-03-28 11:36 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2017-03-28 11:36 UTC] ab@php.net
Fixed by reverting 80c8d84af303d2fddc9ba9f181c7117b9040811d, bug #61471 reopened once again.

Thanks.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Jul 17 06:01:44 2018 UTC