From: cb dot utblog at gmail dot com
Operating system: Redhat 8.0
PHP version: 5.1.0b2
PHP Bug Type: *General Issues
Bug description: http://www.utblog.com/plog/CB
Description:
------------
when uploading a file, in the post form, there's a hidden zone: <input
type="hidden" name="MAX_FILE_SIZE" value="100">.
The value of "MAX_FILE_SIZE" equals 10(bytes) here, it doesn't work.
actually, whenever if MAX_FILE_SIZE is setted to be less than 1024*5, it
doesn't works. the file will be uploaded and stored without error.
What does 1024*5 mean? it's size of buffer to get file data from
multi-part body (FILLUNIT).
The mistake comes from here:
in main/rfc1867.c,
function "SAPI_POST_HANDLER_FUNC"
it compares how many bytes have read (total_bytes) to "MAX_FILE_SIZE"
after reading again but before increasing total_bytes.
Reproduce code:
---------------
while (!cancel_upload && (blen =
multipart_buffer_read(mbuff, buff,
sizeof(buff) TSRMLS_CC)))
{
//>> UP TO 1025*5 BYTES HAS BEEN READ
if (PG(upload_max_filesize) > 0 && total_bytes >
PG(upload_max_filesize)) {
#if DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE,
"upload_max_filesize of %ld bytes
exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param,
filename);
#endif
cancel_upload = UPLOAD_ERROR_A;
} else if (max_file_size && (total_bytes >
max_file_size)) {
//>> COMPARE total_bytes TO max_file_size BEFORE INCREASING total_bytes
#if DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE,
"MAX_FILE_SIZE of %ld bytes exceeded
- file [%s=%s] not saved", max_file_size, param, filename);
#endif
cancel_upload = UPLOAD_ERROR_B;
} else if (blen > 0) {
wlen = write(fd, buff, blen);
if (wlen < blen) {
#if DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written,
expected to write %d", wlen, blen);
#endif
cancel_upload = UPLOAD_ERROR_C;
} else {
//>> CHANGE total_bytes HERE, IT'S TOO LATE
total_bytes += wlen;
}
}
}
if (fd!=-1) { /* may not be initialized if file could
not be created
*/
close(fd);
}
--
Edit bug report at http://bugs.php.net/?id=33666&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=33666&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=33666&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=33666&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=33666&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=33666&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=33666&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=33666&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=33666&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=33666&r=support
Expected behavior: http://bugs.php.net/fix.php?id=33666&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=33666&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=33666&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=33666&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=33666&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=33666&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=33666&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=33666&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=33666&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=33666&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=33666&r=mysqlcfg
