Bug #2152
closedFile upload doesn't work if the file is bigger than [512k?]
Description
My last issue was deleted by accident, so here goes:
No errors in /var/log/lighttpd/errors.log
A few files called lighttp* and later php* appear in /tmp
ahl:/tmp# while true; do ls -l |grep -v sess && echo .; done -rw------ 1 lighttpd lighttpd 298177 Jan 11 17:52 lighttpd-upload-Ib7A6u . rw------ 1 lighttpd lighttpd 816561 Jan 11 17:52 lighttpd-upload-Ib7A6u . rw------ 1 lighttpd lighttpd 173760 Jan 11 17:52 lighttpd-upload-GSfToa rw------ 1 lighttpd lighttpd 1049689 Jan 11 17:52 lighttpd-upload-Ib7A6u . rw------ 1 lighttpd lighttpd 386428 Jan 11 17:52 lighttpd-upload-GSfToa rw------ 1 lighttpd lighttpd 1049689 Jan 11 17:52 lighttpd-upload-Ib7A6u rw------ 1 lighttpd lighttpd 716660 Jan 11 17:52 phpqwZAOS
My upload.php, pretty basic, should just save the file. It DOES work when the uploaded file is small, for example 341kB.
---------------
<?php
header('Content-type: text/html; charset=utf-8');
$uploadedfile = $_FILES['userfile']['tmp_name'];
echo "The file uploaded was $uploadedfile.";
$storefile = $_POST['fnr'] . ".png";
$command = "cp -v $uploadedfile $storefile"; // save the uploaded file.
passthru($command); // save
?>
It seems lighttpd builds several files of around 1MB and then puts them together to one file, phpqwZAOS is seen above.
But when it's too big a file, that file isn't available and doesn't show up in the $_FILES[] array of PHP. Problem with lighttpd passing the file to php?
lighttpd version: lighttpd-1.4.23-r2
OS: alpine linux 2.6.30.8-grsec
Attached strace of a post of a big file.
Files
Updated by arnotixe over 15 years ago
got a fix from alpine linux, seems something's up there. Now I can upload up to 965259b, but 1013956b fails.
Updated by icy over 15 years ago
- Status changed from New to Need Feedback
Just a quick note: your php code is vulnerable to file overwriting and command injection since you do no validation at all and you use the wrong functions to move the file.
lighttpd-1.4.23-r2 is old, current stable one is 1.4.25
Updated by arnotixe over 15 years ago
- % Done changed from 0 to 100
oh no it seems that the MAX_FILE_SIZE tag (I don't remember why it's there on the form anyway) is parsed by PHP even if I don't tell it to o_O
Let's see what happens when I remove that tag.. sorry to waste your time Now I got a 9.5MB file through... I think you can close this bug -
"a tag called MAX_FILE_SIZE in the 'upload file' form was [silently] parsed by php"
I didn't suspect that tag since I hadn't written php any code checking it. Apparently that's done automatically by php and also "taken care of" automatically, dropping the file (googled http://bytes.com/topic/php/answers/647849-max_file_size-html-forms)
Sorry to cause a stir
Also available in: Atom