Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118593 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 54731 invoked from network); 10 Sep 2022 10:19:16 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 10 Sep 2022 10:19:16 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 22A4C1804C4 for ; Sat, 10 Sep 2022 03:19:15 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_20,KHOP_HELO_FCRDNS, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS16276 94.23.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from processus.org (ns366368.ip-94-23-14.eu [94.23.14.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 10 Sep 2022 03:19:14 -0700 (PDT) Message-ID: <528b9596-0614-783f-d9bc-80b1b61ae448@processus.org> Date: Sat, 10 Sep 2022 12:19:11 +0200 MIME-Version: 1.0 To: Yasuo Ohgaki , Misha Cc: internals@lists.php.net References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Authentication-Results: processus.org; auth=pass smtp.mailfrom=pierre-php@processus.org X-Spamd-Bar: / Subject: Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte From: pierre-php@processus.org (Pierre) Le 10/09/2022 à 11:31, Yasuo Ohgaki a écrit : > 2022年9月7日(水) 22:58 Misha : > I can understand the motivation, but I am against the change. > > To increase uploaded file max size, POST max size must be increased too. > For 99.99% entry points do not need 50MB POST max size. > and larger POST max size increases DoS risks. > > Default upload file max size and POST max size should be small enough value > for better security. > IMHO, PHP script that handles large POST data should increase these > settings. > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net Hello, Where I work we use a client side component that split files, send them chunked, handle progress, resuming etc... along with a server side PHP component. This method was originally developed for three reasons: allow huge file uploads (videos), give the user a progress bar, and more importantly, be able to bypass POST max size restrictions in production environments we cannot configure because they're managed by a remote external admin team. My point is, I don't care about default limit remaining 2MB personally because we mostly work on products in which chunking files is the default. Anyway you also will have limit set at the HTTPd level as well if you want to be able to use it fully (in my original case the most limiting layer in the HTTP stack was Nginx at the time) having every layer in your stack working nicely together regarding POST size is not something you will always have in production environment that you don't fully manage yourself. I think that raising the limit to something between 10MB and 20MB is something reasonable so that people like me in the future won't be forced to develop a client side file chunker for most use (phone photos, some PDF files, etc... most commonly), but raising higher may be a security issue. My phone takes 4k pics andthey site between 4MB and 10MB, I think that the default limit doesn't have to be much more than this. As soon as you want to let your users upload bigger files, relying on a single HTTP POST seems dangerous for all of ergonomics, security and performance. Regards, -- Pierre