Hello everyone,
We spend a lot of time to increase limits for uploads file in PHP. Can we
increase it in php.ini?
Current value is 2Mb. Its so small value, when photo image can take 8Mb on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.
I have prepared PR for it https://github.com/php/php-src/pull/9315
Take a look and approve it please.
Thanks!
--
Best regards, Michail
We spend a lot of time to increase limits for uploads file in PHP. Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take 8Mb on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.I have prepared PR for it https://github.com/php/php-src/pull/9315
I'm not against increasing the sizes, but 50MB might be too much.
Anyway, only changing the php.ini files doesn't make sense in my
opinion, since they're probably only used on Windows, and they should
reflect the actual default values[1].
[1]
https://github.com/php/php-src/blob/f3d8f097201c4aa099cc256f4740ee845f4bd606/main/main.c#L724-L725
--
Christoph M. Becker
On Wed, Sep 7, 2022 at 3:28 PM Christoph M. Becker cmbecker69@gmx.de
wrote:
We spend a lot of time to increase limits for uploads file in PHP. Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take 8Mb
on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.I have prepared PR for it https://github.com/php/php-src/pull/9315
I'm not against increasing the sizes, but 50MB might be too much.
Anyway, only changing the php.ini files doesn't make sense in my
opinion, since they're probably only used on Windows, and they should
reflect the actual default values[1].
It's true that those particular ini files are not directly used on Linux
but distros often base their changes on them and the distro provided ones
are actually used. So it means that main defaults in main.c are most likely
not used. Although I agree they should be changed too so it is consistent.
Regards
Jakub
Hey all.
On Wed, Sep 7, 2022 at 3:28 PM Christoph M. Becker cmbecker69@gmx.de
wrote:We spend a lot of time to increase limits for uploads file in PHP. Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take 8Mb
on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.I have prepared PR for it https://github.com/php/php-src/pull/9315
I'm not against increasing the sizes, but 50MB might be too much.
Anyway, only changing the php.ini files doesn't make sense in my
opinion, since they're probably only used on Windows, and they should
reflect the actual default values[1].It's true that those particular ini files are not directly used on Linux
but distros often base their changes on them and the distro provided ones
are actually used. So it means that main defaults in main.c are most likely
not used. Although I agree they should be changed too so it is consistent.
No matter which value we preset, it will most certainly not be adequate.
So people will have to set it according to their needs. And if they
didn't so far, then they are happy with the current setting.
Don't get me wrong: I'm not against changing that value.
But is it really an issue that needs solving? It's a default value of a
configuration file. When I'm unhappy with the default, I change it to a
more suitable value. When I'm not able to do that... perhaps I should
leave my fingers not only from the config file...
My 0.02€
Cheers
Andreas
,,,
(o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl |
| mailto:andreas@heigl.org N 50°22'59.5" E 08°23'58" |
| https://andreas.heigl.org |
+---------------------------------------------------------------------+
| https://hei.gl/appointmentwithandreas |
+---------------------------------------------------------------------+
On Wed, Sep 7, 2022 at 3:28 PM Christoph M. Becker cmbecker69@gmx.de
wrote:We spend a lot of time to increase limits for uploads file in PHP.
Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take 8Mb
on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.I have prepared PR for it https://github.com/php/php-src/pull/9315
I'm not against increasing the sizes, but 50MB might be too much.
Anyway, only changing the php.ini files doesn't make sense in my
opinion, since they're probably only used on Windows, and they should
reflect the actual default values[1].It's true that those particular ini files are not directly used on
Linux
but distros often base their changes on them and the distro provided ones
are actually used. So it means that main defaults in main.c are most
likely
not used. Although I agree they should be changed too so it is
consistent.No matter which value we preset, it will most certainly not be adequate.
So people will have to set it according to their needs. And if they
didn't so far, then they are happy with the current setting.Don't get me wrong: I'm not against changing that value.
But is it really an issue that needs solving? It's a default value of a
configuration file. When I'm unhappy with the default, I change it to a
more suitable value. When I'm not able to do that... perhaps I should
leave my fingers not only from the config file...
It might be worth to point out that we're using these defaults since PHP
4.0 (at least), so reconsidering sensible defaults might be appropriate.
--
Christoph M. Becker
On Wed, Sep 7, 2022 at 3:28 PM Christoph M. Becker cmbecker69@gmx.de
wrote:We spend a lot of time to increase limits for uploads file in PHP.
Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take
8Mb
on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless
work
trying to change it.I have prepared PR for it https://github.com/php/php-src/pull/9315
I'm not against increasing the sizes, but 50MB might be too much.
Anyway, only changing the php.ini files doesn't make sense in my
opinion, since they're probably only used on Windows, and they should
reflect the actual default values[1].It's true that those particular ini files are not directly used on
Linux
but distros often base their changes on them and the distro provided
ones
are actually used. So it means that main defaults in main.c are most
likely
not used. Although I agree they should be changed too so it is
consistent.No matter which value we preset, it will most certainly not be adequate.
So people will have to set it according to their needs. And if they
didn't so far, then they are happy with the current setting.Don't get me wrong: I'm not against changing that value.
But is it really an issue that needs solving? It's a default value of a
configuration file. When I'm unhappy with the default, I change it to a
more suitable value. When I'm not able to do that... perhaps I should
leave my fingers not only from the config file...It might be worth to point out that we're using these defaults since PHP
4.0 (at least), so reconsidering sensible defaults might be appropriate.
I can sense we are all feeling like upping the value here.
If we take it slow and move from 2MB to 8MB that would ease into it, and
see how it goes in our next release ?
Do we RFC this? Who is volunteering to make it, if so? :-)
--
Christoph M. Becker--
To unsubscribe, visit: https://www.php.net/unsub.php
I can sense we are all feeling like upping the value here.
If we take it slow and move from 2MB to 8MB that would ease into it, and
see how it goes in our next release ?Do we RFC this? Who is volunteering to make it,
There is already a PR in GitHub the author should have Priority on this,
otherwise I volunteer myself to help the author and work on this together.
Hello everyone,
We spend a lot of time to increase limits for uploads file in PHP. Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take 8Mb on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.I have prepared PR for it https://github.com/php/php-src/pull/9315
Take a look and approve it please.
Thanks!
DevOps engineers should automate as much as possible and store custom
php.ini files in configurations so they don’t have to change these
values each time they launch a new system. ;-)
That said, I don’t have a problem with increasing the limit, but as
Christoph said, 50MB might be too much, and the actual default values
should change.
--
Cheers,
Ben
Hello everyone,
We spend a lot of time to increase limits for uploads file in PHP. Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take 8Mb on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.
I think the problem is that too high value can potentially result in DoS if
you have for example some API that might be sensitive to it. I think this
should be really handled on web server though and Apache httpd [1] as well
as nginx [2] have the default limit set to 1MB. The only problem is that
Apache introduced that limit default quite recently (2.4.53) so there are
likely still lots of users where this value matters more if they don't
tweak defaults. I guess it might be wise to do much smaller increase and
start maybe somewher closer to 8MB or maybe even wait a little bit longer
till most users have safe defaults on web server.
[1] https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
[2]
http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
Regards
Jakub
I have it set to 32MB and nobody has complained yet. I think it might be a
sweet spot between security and usability out of the box.
2022年9月7日(水) 22:58 Misha mishanon@gmail.com:
Hello everyone,
We spend a lot of time to increase limits for uploads file in PHP. Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take 8Mb on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.I have prepared PR for it https://github.com/php/php-src/pull/9315
Take a look and approve it please.
Thanks!
--
Best regards, Michail
I can understand the motivation, but I am against the change.
To increase uploaded file max size, POST max size must be increased too.
For 99.99% entry points do not need 50MB POST max size.
and larger POST max size increases DoS risks.
Default upload file max size and POST max size should be small enough value
for better security.
IMHO, PHP script that handles large POST data should increase these
settings.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Le 10/09/2022 à 11:31, Yasuo Ohgaki a écrit :
2022年9月7日(水) 22:58 Misha mishanon@gmail.com:
I can understand the motivation, but I am against the change.To increase uploaded file max size, POST max size must be increased too.
For 99.99% entry points do not need 50MB POST max size.
and larger POST max size increases DoS risks.Default upload file max size and POST max size should be small enough value
for better security.
IMHO, PHP script that handles large POST data should increase these
settings.Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hello,
Where I work we use a client side component that split files, send them
chunked, handle progress, resuming etc... along with a server side PHP
component. This method was originally developed for three reasons: allow
huge file uploads (videos), give the user a progress bar, and more
importantly, be able to bypass POST max size restrictions in production
environments we cannot configure because they're managed by a remote
external admin team.
My point is, I don't care about default limit remaining 2MB personally
because we mostly work on products in which chunking files is the
default. Anyway you also will have limit set at the HTTPd level as well
if you want to be able to use it fully (in my original case the most
limiting layer in the HTTP stack was Nginx at the time) having every
layer in your stack working nicely together regarding POST size is not
something you will always have in production environment that you don't
fully manage yourself.
I think that raising the limit to something between 10MB and 20MB is
something reasonable so that people like me in the future won't be
forced to develop a client side file chunker for most use (phone photos,
some PDF files, etc... most commonly), but raising higher may be a
security issue. My phone takes 4k pics andthey site between 4MB and
10MB, I think that the default limit doesn't have to be much more than
this. As soon as you want to let your users upload bigger files, relying
on a single HTTP POST seems dangerous for all of ergonomics, security
and performance.
Regards,
--
Pierre
2022年9月7日(水) 22:58 Misha mishanon@gmail.com:
Hello everyone,
We spend a lot of time to increase limits for uploads file in PHP. Can we
increase it in php.ini?Current value is 2Mb. Its so small value, when photo image can take 8Mb on
iPhone X.
We should increase it to 50Mb, because DevOps engineers do useless work
trying to change it.I have prepared PR for it https://github.com/php/php-src/pull/9315
Take a look and approve it please.
Thanks!
--
Best regards, MichailI can understand the motivation, but I am against the change.
To increase uploaded file max size, POST max size must be increased too.
For 99.99% entry points do not need 50MB POST max size.
and larger POST max size increases DoS risks.Default upload file max size and POST max size should be small enough value
for better security.
IMHO, PHP script that handles large POST data should increase these
settings.Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
If I'm not mistaken, even the memory_limit needs to be increased when
the post_max_size directive is larger. The memory_limit needs to be
larger than post_max_size. And the post_max_size must be slightly
larger than upload_max_size.
memory_limit > post_max_size > upload_max_size
I also agree that increasing the size to something bigger than 8M
might not be a good idea; I can imagine that a value bigger than 8M
(like 50M) will cause an impact in hosting platforms specially, which
will be forced to always change the php's default values to a lower
one, because of potential DoS Attacks.
Default settings should have a reasonable level of security in mind.
On Sat, Sep 10, 2022 at 3:05 PM juan carlos morales <
dev.juan.morales@gmail.com> wrote:
I also agree that increasing the size to something bigger than 8M
might not be a good idea; I can imagine that a value bigger than 8M
(like 50M) will cause an impact in hosting platforms specially, which
will be forced to always change the php's default values to a lower
one, because of potential DoS Attacks.Default settings should have a reasonable level of security in mind.
Do these settings actually have any impact in respect of DoS attacks? As
far as I'm aware, neither post_max_size nor upload_max_filesize do anything
to prevent or terminate processes where the client sends data exceeding
these limits, that's something you should handle in your webserver.
2022年9月10日(土) 23:23 David Gebler davidgebler@gmail.com:
On Sat, Sep 10, 2022 at 3:05 PM juan carlos morales <
dev.juan.morales@gmail.com> wrote:I also agree that increasing the size to something bigger than 8M
might not be a good idea; I can imagine that a value bigger than 8M
(like 50M) will cause an impact in hosting platforms specially, which
will be forced to always change the php's default values to a lower
one, because of potential DoS Attacks.Default settings should have a reasonable level of security in mind.
Do these settings actually have any impact in respect of DoS attacks? As
far as I'm aware, neither post_max_size nor upload_max_filesize do anything
to prevent or terminate processes where the client sends data exceeding
these limits, that's something you should handle in your webserver.
For example, password hash DoS attack was made possible because PHP allows
8MB post data.
https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/
IIRC, Drupal has a security release for this.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
We spend a lot of time to increase limits for uploads file in PHP.
For a lot of time, I assume you are using a web host that does not
allow modification to INI file directly or using INI functions, and
you have to contact your host provider for that change. Otherwise, it
is not that difficult to apply that change. Plus, this question would
have been answered in a php forum, like phpearth.
I'm not against increasing the sizes, but 50MB might be too much.
It is possible on userland as well as configuration level. I don't
feel like it is worth doing. It will break some websites. Most of the
projects go with default options of upload; thus, doing so will make
issues for such projects.
By the Way... This needs an RFC right?
This change should be made with an rfc. Because it will impact a
majority of projects, and usually devs doant have to have that huge
limit. Plus, there are razed further concerns that
2022年9月10日(土) 23:23 David Gebler davidgebler@gmail.com:
On Sat, Sep 10, 2022 at 3:05 PM juan carlos morales <
dev.juan.morales@gmail.com> wrote:I also agree that increasing the size to something bigger than 8M
might not be a good idea; I can imagine that a value bigger than 8M
(like 50M) will cause an impact in hosting platforms specially, which
will be forced to always change the php's default values to a lower
one, because of potential DoS Attacks.Default settings should have a reasonable level of security in mind.
Do these settings actually have any impact in respect of DoS attacks? As
far as I'm aware, neither post_max_size nor upload_max_filesize do
anything
to prevent or terminate processes where the client sends data exceeding
these limits, that's something you should handle in your webserver.For example, password hash DoS attack was made possible because PHP allows
8MB post data.https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/
IIRC, Drupal has a security release for this.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
2MB is probably too low and it can be set at something like 20MB,
but from my understanding setting it low enough will help prevent DoS
attacks.
If we change it to something larger, I'm not sure exactly what would be
the effect of changing this default for mass-hosting providers where
they can have thousands of Wordpress/Drupal/etc. setups on a single
node. Changing from 2MB to 20MB for all requests may have quite an
effect if there is an attack. Surely all those providers have teams
dedicated to setting the right limit, but that shouldn't stop us from
using a safe default.
What is unpractical with upload_max_filesize and post_max_size though is
that we can't set the limit for each script, because it affects how PHP
is parsing the POST body before the script is even parsed.
Unless at one point we provide some kind of option to set ini literals
from within a script file before the request is processed (eg.
declare(post_max_size=256M) or something like that), the only option is
to use the web server to change the setting.
That way most endpoints will benefit from a low limit, and only
the targeted scripts or directories will have a higher limit.
For example with Apache something like that will only change the
limit for the parts of the admin where it's needed, and when the HTTP
client has a cookie:
<If "%{REQUEST_URI} =~ m!^/admin/(files|images)/! && -n %{HTTP_COOKIE}">
php_value post_max_size 256M
php_value upload_max_filesize 256M
</If>
I commented with this snippet on relevant documentation pages,
hopefully it will help people looking for that kind of info to do
something a bit better than to set this limit for the whole server.