You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the value for upload_max_filesize is set to a non numeric value in the php.ini then it's not clear how the system is going to behave. For instance set
upload_max_filesize = bogus
in the php.ini file.
ini_get and phpinfo return the bogus string. As far as I can tell there is no limit enforced on uploads in this case but no warnings or errors are reported. This behavior is undocumented.
Other invalid values produce different results
upload_max_filesize = 1zz
Appears to set the limit to 1 byte. In general it appears that trailing input is ignored. This makes it very difficult to interpret the results of ini_get because that will return the value as it exists in the ini file but without knowing the exact rules it's impossible to convert this to the actual limit that PHP will enforce. In turn this makes it difficult to write diagnostic tools to try to detect why uploads are failing and suggest to users how to fix it.
Ideally to the extent that PHP is normalizing the value in the ini file, ini_get should return the normalized value that PHP is using. A completely invalid value should probably not be interpreted as "no limit whatsoever". That seems to invite an unfortunate typo turning into a potential DOS issue.
PHP Version
PHP 8.3.0
Operating System
Windows 10
The text was updated successfully, but these errors were encountered:
Pb is, and you re right that s a bit of an issue for this kind of case, these ini entries are stored as string "as-is". Some work can be done before the zval get cast to a zend_string. Would need some thoughts for how to go about the value sanitisation policy.
While I agree that there is room for improvement here, I wouldn't call the current behavior a bug (after all, these INI settings behave like this for many years). Maybe a respective feature request is more appropriate.
Description
If the value for upload_max_filesize is set to a non numeric value in the php.ini then it's not clear how the system is going to behave. For instance set
upload_max_filesize = bogus
in the php.ini file.
ini_get and phpinfo return the bogus string. As far as I can tell there is no limit enforced on uploads in this case but no warnings or errors are reported. This behavior is undocumented.
Other invalid values produce different results
upload_max_filesize = 1zz
Appears to set the limit to 1 byte. In general it appears that trailing input is ignored. This makes it very difficult to interpret the results of ini_get because that will return the value as it exists in the ini file but without knowing the exact rules it's impossible to convert this to the actual limit that PHP will enforce. In turn this makes it difficult to write diagnostic tools to try to detect why uploads are failing and suggest to users how to fix it.
Ideally to the extent that PHP is normalizing the value in the ini file, ini_get should return the normalized value that PHP is using. A completely invalid value should probably not be interpreted as "no limit whatsoever". That seems to invite an unfortunate typo turning into a potential DOS issue.
PHP Version
PHP 8.3.0
Operating System
Windows 10
The text was updated successfully, but these errors were encountered: