2MB is probably too low and it can be set at something like 20MB,
but from my understanding setting it low enough will help prevent DoS
attacks.
If we change it to something larger, I'm not sure exactly what would be
the effect of changing this default for mass-hosting providers where
they can have thousands of Wordpress/Drupal/etc. setups on a single
node. Changing from 2MB to 20MB for all requests may have quite an
effect if there is an attack. Surely all those providers have teams
dedicated to setting the right limit, but that shouldn't stop us from
using a safe default.
What is unpractical with upload_max_filesize and post_max_size though is
that we can't set the limit for each script, because it affects how PHP
is parsing the POST body before the script is even parsed.
Unless at one point we provide some kind of option to set ini literals
from within a script file before the request is processed (eg.
declare(post_max_size=256M) or something like that), the only option is
to use the web server to change the setting.
That way most endpoints will benefit from a low limit, and only
the targeted scripts or directories will have a higher limit.
For example with Apache something like that will only change the
limit for the parts of the admin where it's needed, and when the HTTP
client has a cookie:
<If "%{REQUEST_URI} =~ m!^/admin/(files|images)/! && -n %{HTTP_COOKIE}">
php_value post_max_size 256M
php_value upload_max_filesize 256M
</If>
I commented with this snippet on relevant documentation pages,
hopefully it will help people looking for that kind of info to do
something a bit better than to set this limit for the whole server.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
