Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107369 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 34789 invoked from network); 4 Oct 2019 13:20:49 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 4 Oct 2019 13:20:49 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id EF42F2D201B for ; Fri, 4 Oct 2019 04:02:11 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,NUMERIC_HTTP_ADDR,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,WEIRD_PORT autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No Received: from mail-qt1-f179.google.com (mail-qt1-f179.google.com [209.85.160.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Fri, 4 Oct 2019 04:02:11 -0700 (PDT) Received: by mail-qt1-f179.google.com with SMTP id r5so7985632qtd.0 for ; Fri, 04 Oct 2019 04:02:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=5eMKOuIQjesZkGKM4A/4c5WRrNMsR2eKcdDhQG+1hIU=; b=aDJAUl7vT41M1RC03gTmg8I/gXdekDsU5pOygdWh+4Z99Nzlzb4KhXT+Bvzl1EqeJx qjDsiP5v8NUJyN/1Vji/v8EtRqNWe2DVrAo9ulTFRroyn9al7xG6FKA+L3sd5YVV+Uu8 uGEwRNrjhdVpHsX/HxebpI0o64R9nWkkDfGJCoQrz6BAnU/xMOag4yqMXsIczVjbaBVI Ea9FoI26prKWRuiG9je08O0d7MXg7YRd+36QDWQ6dBEesL37qfj6yPjeb+0x98ikQkEe dyLOdOp4XJAC5NQDARoUblhFP/cfhNv20/83SB7c4n0uk/Lky3HO/QmfFsEW0e/QY0Et 9JcA== X-Gm-Message-State: APjAAAWcWSD0PRTOghJCkRDBhxOyMGetmp7K5V7mHv34yqIoqDWCvt9C Uvg0x2gUOwM2x1wg/fAwVbBBQDAGlDZ2ubRprKk= X-Google-Smtp-Source: APXvYqxDvVPxsYIReKRQPXxddiurNlpgTOwLFJ9JX1UcmgbrSeWoiY978SMe5TpMEacfJ3GBiu3HTlcs9BE9QHNB6Ns= X-Received: by 2002:ac8:36b7:: with SMTP id a52mr15467278qtc.181.1570186930867; Fri, 04 Oct 2019 04:02:10 -0700 (PDT) MIME-Version: 1.0 References: <866ac36c-ddb5-80db-1ac2-56ff3f49cd81@cubiclesoft.com> In-Reply-To: <866ac36c-ddb5-80db-1ac2-56ff3f49cd81@cubiclesoft.com> Reply-To: bishop@php.net Date: Fri, 4 Oct 2019 07:01:44 -0400 Message-ID: To: Thomas Hruska , Benjamin Morel Cc: Rasmus Lerdorf , PHP Internals Content-Type: multipart/alternative; boundary="0000000000003ed3b5059413a286" X-Envelope-From: Subject: Re: [PHP-DEV] Error when POST / upload limits are exceeded From: bishop@php.net (Bishop Bettini) --0000000000003ed3b5059413a286 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 1, 2019 at 5:39 PM Thomas Hruska wrote: > On 10/1/2019 1:26 PM, Rasmus Lerdorf wrote: > > On Tue, Oct 1, 2019 at 8:25 AM Benjamin Morel > > wrote: > > > >>> Perhaps a more generic $_SERVER['PHP_REQUEST_STATUS'] or something > along > >> those lines where you'd put the error message from > >> https://www.php.net/manual/en/features.file-upload.errors.php as well. > >> And add new states for these exceeded limits that aren't caught there. > It > >> would be nice if you just needed a single check instead of having to > look > >> for multiple things. > >> > >> Those are per-file error codes, that belong in each $_FILES entry, while > >> the errors I'm talking about affect the whole request, so I'm afraid you > >> cannot put these errors in the same place, nor can you extend the > existing > >> error codes, as they do not have the same scope! > >> > > > > I know they are per-file errors. I wrote that code :) > > > > But you could still have a global status that specifies whether an error > > occurred or not. Then you can go look for which file it occurred on in > the > > $_FILES array. The idea is to have a single check that tells you if > > everything was fine on the request. > > I agree this is needed. The problem I've encountered is that if there > are any more variables after a limit is hit, then some of the submitted > vars don't exist in the superglobals. Specifically, the variables > before the limit do exist while the ones after don't. There's a LOT of > userland code that *assumes* all expected non-file POST vars exist and > then DO things with the non-existent variables in this scenario. Is it > poorly written, lazy userland code? Sure, but it's certainly unexpected. > > In the past, I've seen all kinds of weird behaviors happen due to > missing vars in userland ranging from looping, WSODs, and altering PHP > sessions. The data gets submitted to the server but the PHP input > parser ignores it once a limit is reached. One of the first things I do > on a new system is to bump up the default limits considerably to avoid > hitting the limits. > > The ability to globally detect that processing of input variables was > early-terminated by the parser would allow userland startup sequences to > detect the problem globally and cleanly terminate the request BEFORE the > core application logic is encountered. This shouldn't just be for > files, it should be for any time the parser early-terminates input > processing but then proceeds to start executing userland code as if > nothing is wrong. > It's possible, in a limited fashion, to detect and react to some startup errors: $ cat index.php int(2) ["message"]=> string(92) "Unknown: Input variables exceeded 1. To increase the limit change max_input_vars in php.ini." ["file"]=> string(7) "Unknown" ["line"]=> int(0) } Obviously this only gets the last one, and it doesn't handle situations like "the file pointed to by auto_prepend_file doesn't exist", but it seems a reasonable first step to assert error_get_last is null on script invocation. That said, I would prefer a function to a server/environment variable: error_get_startup() or something similar. --0000000000003ed3b5059413a286--