Re: MAX_FILE_SIZE not working with file uploads

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jeff Cohan wrote:


Dan Parry wrote:
I might be wrong but this would be classed as 'exploitable'... Webservers should not be allowed to read from or write to clients... Of course there is ActiveX... 

I think we're off the point.

My script is simply interrogating the value of the
$_FILES[userfile][size] array element. It's coming up as ZERO if it
exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
the way it's SUPPOSED to work. That's why I started this thread out
with "What am I missing?".

Said another way:

It seems that the server had to know the size of the file in order
to know it exceeded MAX_FILE_SIZE. So how can my script find out the
size?



OK, not sure why anybody has pointed this out, but...
A signed Javascript session is allowed to access the local file system through the browser. But an un-signed JS process/session is not.
Now, the reason that PHP can't do anything about the file upload while in process, is that PHP doesn't know anything about the file upload until Apache/IIS/... hands off the uploaded file to PHP.
Apache is actually the part receiving the uploaded file. Once it is completely uploaded, the web server passes the temporary file name to php and then php gets what information about it it can.
Try trapping the error. You will probably want to try with a setting in the php.ini or a .htaccess file that will change your error_handler function to some custom function that you can then use to allow the script to continue running, but capture and pass off information to the rest of your scripts.
Then see if in the $_FILES array you find a temp file name. before your script ends, you might be able to look at the stats of that temp file and gleam some of the information that you are wanting to know from it.
Remember, when uploading a file, your scripts are only parsed before the upload actually starts. Once your upload completes, successfully, will it then execute your php scripts.
From what research and testing that I have done, this is the way PHP handles uploads. This was on a Redhat/Apache/PHP4 setup. back about 6 years ago. 

Hope it is still accurate.

Jim

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux