PHP :: Request #74882 :: Cannot use ini_set in a flexible manner enough with FrontControllers

Request #74882	Cannot use ini_set in a flexible manner enough with FrontControllers
Submitted:	2017-07-08 14:32 UTC	Modified:	2017-07-08 15:00 UTC
From:	bouvrette dot nicolas at gmail dot com	Assigned:
Status:	Wont fix	Package:	*General Issues
PHP Version:	5.6.31	OS:	All
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	bouvrette dot nicolas at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-07-08 14:32 UTC] bouvrette dot nicolas at gmail dot com

Description:
------------
When using a single FrontController for a site, it's impossible to leverage .htaccess and/or Apache's vhost to overwrite certain ini_set values.

A good example would be `upload_max_filesize` but there are many others?

Having a FrontController give a lot of flexibility when it comes to dynamic routes and localisation and is becoming more popular with large PHP framework like Symfony and Zend.

Test script:
---------------
See https://serverfault.com/questions/857961/php-value-overrides-with-apache-using-a-front-controller for full details.

Expected result:
----------------
ini_set should be more flexible and allow more overwrites, especially to help with performance when using FrontControllers.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-08 15:00 UTC] requinix@php.net

-Status: Open +Status: Wont fix

[2017-07-08 15:00 UTC] requinix@php.net

Restrictions on when certain settings can be changed are almost always, if not actually always, due to technical or security reasons.

For upload_max_filesize it is the former: file uploads happen before any PHP code is executed. Changing the setting with ini_set is disallowed because it would not do anything. Thus PERDIR is the loosest restriction possible.
Naturally this also applies to other settings related to uploads.

I suggest changing upload_max_filesize for your entire site instead of just the upload directory anyways; consider that a malicious user can attempt an upload to any URL they want, regardless of whether you made a form for them to use or not. Ditto for post_max_size and similar settings.


If you have other restricted settings in mind then I can explain why they are so, and if I can't then they can certainly be revisited.

[2017-07-08 15:05 UTC] spam2 at rhsoft dot net

any script code comes simply way too late for things like upload_max_filesize because the whole upload is already processed

[2017-07-08 21:46 UTC] bouvrette dot nicolas at gmail dot com

Make sense - I will check if this is fixable on the Apache side.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 01:01:28 2024 UTC