-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid values for upload_max_filesize cause undefined behavior. #14695
Comments
Pb is, and you re right that s a bit of an issue for this kind of case, these ini entries are stored as string "as-is". Some work can be done before the zval get cast to a zend_string. Would need some thoughts for how to go about the value sanitisation policy. |
While I agree that there is room for improvement here, I wouldn't call the current behavior a bug (after all, these INI settings behave like this for many years). Maybe a respective feature request is more appropriate. |
Agreed this is not a bug but more something that can be improved - it means feature... |
Description
If the value for upload_max_filesize is set to a non numeric value in the php.ini then it's not clear how the system is going to behave. For instance set
upload_max_filesize = bogus
in the php.ini file.
ini_get and phpinfo return the bogus string. As far as I can tell there is no limit enforced on uploads in this case but no warnings or errors are reported. This behavior is undocumented.
Other invalid values produce different results
upload_max_filesize = 1zz
Appears to set the limit to 1 byte. In general it appears that trailing input is ignored. This makes it very difficult to interpret the results of ini_get because that will return the value as it exists in the ini file but without knowing the exact rules it's impossible to convert this to the actual limit that PHP will enforce. In turn this makes it difficult to write diagnostic tools to try to detect why uploads are failing and suggest to users how to fix it.
Ideally to the extent that PHP is normalizing the value in the ini file, ini_get should return the normalized value that PHP is using. A completely invalid value should probably not be interpreted as "no limit whatsoever". That seems to invite an unfortunate typo turning into a potential DOS issue.
PHP Version
PHP 8.3.0
Operating System
Windows 10
The text was updated successfully, but these errors were encountered: