Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118601 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 77532 invoked from network); 10 Sep 2022 14:30:40 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 10 Sep 2022 14:30:40 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8C5D91804C4 for ; Sat, 10 Sep 2022 07:30:38 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,SPF_HELO_SOFTFAIL, SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS4713 180.0.0.0/10 X-Spam-Virus: No X-Envelope-From: Received: from mx3.es-i.jp (gw1.es-i.jp [180.42.98.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 10 Sep 2022 07:30:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ohgaki.net; s=default; h=MIME-Version:References:In-Reply-To: From:Date:Message-ID:Subject:To:Cc:Content-Type; bh=/wwBcS2i4HFY RO4lnzr+1Lbyr3NPMmROkUOisA5kgQQ=; b=CCQ/5Y+rI0TPUyQfgTDvOCOElTK8 Q3Iltd5UFkWEXJIMSK1YxtIsXuEE8tF8j2YWjHq/jP0vtso05bTNv/d7BeNK33aD OPDJSmYQkH4PIQ85Zry/jTVyD8RCXPhznU0ZB+2jTtuyTiCovzqfYa+8exFU/vB/ 2Qc4v8Va2ppG5Cck+7tgWtW3F3wz7UHwXj6O9ZNzSsHzw+ckpVZr9E5PrnaLvvv+ FvqdKwIQCkYSf34XZvkz+BTTD4MbJFMxqCTgG4dev62eea/Y6yphG4vWaT7wbat3 eSaackE5bZYdkGBM0A9ufFK/51CQNByUeE74vYGi+fMRTaSZY+dC6FTg5A== Received: (qmail 2635 invoked by uid 89); 10 Sep 2022 14:30:33 +0000 Received: from mail-ej1-f45.google.com (yohgaki@ohgaki.net) by mx3.es-i.jp with ESMTPA; 10 Sep 2022 14:30:33 +0000 Received: by mail-ej1-f45.google.com with SMTP id r17so10427422ejy.9 for ; Sat, 10 Sep 2022 07:30:33 -0700 (PDT) X-Gm-Message-State: ACgBeo2qUBCz9OkoJea4TZD0Sm/G/BWZRUuJw1kHKwHG19fAGIny01nR /yOdM/w6oeCdkD2+nUPF9o8qoemilLUXNLA7ZA== X-Google-Smtp-Source: AA6agR5H3Gci9391HPQbShhAJWvddoAPYeroToRfwmL8JIxoVobfMsxnmR0kTejjZLEVOccExnjoxuK74zXj0791RCA= X-Received: by 2002:a17:907:a067:b0:77b:9672:3f83 with SMTP id ia7-20020a170907a06700b0077b96723f83mr1345624ejc.523.1662820228296; Sat, 10 Sep 2022 07:30:28 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 10 Sep 2022 23:29:51 +0900 X-Gmail-Original-Message-ID: Message-ID: To: David Gebler Cc: juan carlos morales , Peter Kokot , Misha , internals@lists.php.net Content-Type: multipart/alternative; boundary="00000000000008778205e853813f" Subject: Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte From: yohgaki@ohgaki.net (Yasuo Ohgaki) --00000000000008778205e853813f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable 2022=E5=B9=B49=E6=9C=8810=E6=97=A5(=E5=9C=9F) 23:23 David Gebler : > On Sat, Sep 10, 2022 at 3:05 PM juan carlos morales < > dev.juan.morales@gmail.com> wrote: > >> I also agree that increasing the size to something bigger than 8M >> might not be a good idea; I can imagine that a value bigger than 8M >> (like 50M) will cause an impact in hosting platforms specially, which >> will be forced to always change the php's default values to a lower >> one, because of potential DoS Attacks. >> >> Default settings should have a reasonable level of security in mind. >> > > Do these settings actually have any impact in respect of DoS attacks? As > far as I'm aware, neither post_max_size nor upload_max_filesize do anythi= ng > to prevent or terminate processes where the client sends data exceeding > these limits, that's something you should handle in your webserver. > For example, password hash DoS attack was made possible because PHP allows 8MB post data. https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-servic= e/ IIRC, Drupal has a security release for this. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --00000000000008778205e853813f--