Invalid values for upload_max_filesize cause undefined behavior.

[vbimpex]

Description

If the value for upload_max_filesize is set to a non numeric value in the php.ini then it's not clear how the system is going to behave. For instance set
upload_max_filesize = bogus
in the php.ini file.

ini_get and phpinfo return the bogus string. As far as I can tell there is no limit enforced on uploads in this case but no warnings or errors are reported. This behavior is undocumented.

Other invalid values produce different results
upload_max_filesize = 1zz

Appears to set the limit to 1 byte. In general it appears that trailing input is ignored. This makes it very difficult to interpret the results of ini_get because that will return the value as it exists in the ini file but without knowing the exact rules it's impossible to convert this to the actual limit that PHP will enforce. In turn this makes it difficult to write diagnostic tools to try to detect why uploads are failing and suggest to users how to fix it.

Ideally to the extent that PHP is normalizing the value in the ini file, ini_get should return the normalized value that PHP is using. A completely invalid value should probably not be interpreted as "no limit whatsoever". That seems to invite an unfortunate typo turning into a potential DOS issue.

PHP Version

PHP 8.3.0

Operating System

Windows 10

[devnexen]

Pb is, and you re right that s a bit of an issue for this kind of case, these ini entries are stored as string "as-is". Some work can be done before the zval get cast to a zend_string. Would need some thoughts for how to go about the value sanitisation policy.

[cmb69]

While I agree that there is room for improvement here, I wouldn't call the current behavior a bug (after all, these INI settings behave like this for many years). Maybe a respective feature request is more appropriate.