|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74318 Partially uploaded files are not deleted
Submitted: 2017-03-27 14:53 UTC Modified: 2017-03-28 11:36 UTC
From: vobruba dot martin at gmail dot com Assigned: ab (profile)
Status: Closed Package: Apache2 related
PHP Version: 7.1.3 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: vobruba dot martin at gmail dot com
New email:
PHP Version: OS:


 [2017-03-27 14:53 UTC] vobruba dot martin at gmail dot com
If you make an incomplete upload request (Content-Length header value is larger than POSTed body) a temporary upload_tmp_dir/php* file won't be deleted after the request is processed by server which is bad because upload_tmp_dir is growing in size.

I think that this is related to this patch because I cannot replicate this problem in 7.1.2.

Test script:

$rn = "\r\n";
$boundary = '------------------BOUNDARY';
$fileSize = 5 * 1024 * 1024;	// upload size must be larger than input buffer size
$offset = 1000;	// should cause timeout if distinctly larger than 0
$connectHost = 'CHANGE.THIS.HOST';
$connectPort = 443;
$connectProto = 'ssl';
$requestUri = '/upload.php';

$content  = '--'.$boundary.$rn;
$content .= 'Content-Disposition: form-data; name="file"; filename="test.txt"'.$rn;
$content .= 'Content-Type: application/octet-stream'.$rn.$rn;
$content .= str_repeat('a', $fileSize).$rn;
$content .= '--'.$boundary.'--';

$headers  = 'POST '.$requestUri.' HTTP/1.1'.$rn;
$headers .= 'Host: '.$connectHost.$rn;
$headers .= 'Connection: close'.$rn;
$headers .= 'Content-Length: '.(strlen($content) + $offset).$rn;
$headers .= 'Content-Type: multipart/form-data; boundary='.$boundary.$rn.$rn;

$socket = fsockopen($connectProto.'://'.$connectHost, $connectPort);
fwrite($socket, $headers.$rn.$content);
while(!feof($socket)) {
	echo fread($socket, 1024);

Expected result:
Associated upload_tmp_dir/php* file is deleted after the request is processed.

Actual result:
Associated upload_tmp_dir/php* file is not deleted.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-28 06:51 UTC] vobruba dot martin at gmail dot com
BTW I believe this is a security issue because anyone can easily cause a denial of service using this bug.
 [2017-03-28 11:36 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2017-03-28 11:36 UTC]
Fixed by reverting 80c8d84af303d2fddc9ba9f181c7117b9040811d, bug #61471 reopened once again.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 07:01:30 2024 UTC