2022年9月10日(土) 23:23 David Gebler <davidgeb...@gmail.com>: > On Sat, Sep 10, 2022 at 3:05 PM juan carlos morales < > dev.juan.mora...@gmail.com> wrote: > >> I also agree that increasing the size to something bigger than 8M >> might not be a good idea; I can imagine that a value bigger than 8M >> (like 50M) will cause an impact in hosting platforms specially, which >> will be forced to always change the php's default values to a lower >> one, because of potential DoS Attacks. >> >> Default settings should have a reasonable level of security in mind. >> > > Do these settings actually have any impact in respect of DoS attacks? As > far as I'm aware, neither post_max_size nor upload_max_filesize do anything > to prevent or terminate processes where the client sends data exceeding > these limits, that's something you should handle in your webserver. >
For example, password hash DoS attack was made possible because PHP allows 8MB post data. https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/ IIRC, Drupal has a security release for this. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
