From: john dot peterson10 at gmail dot com Operating system: Windows PHP version: 5.2.12 PHP Bug Type: Feature/Change Request Bug description: Don't create unecessary temporary files for POST (CVE-2009-4017)
Description: ------------ Suggestion: Don't create temporary files when receiving a "multipart/form-data" POST until they are needed by the PHP code. This is an alternative solution to CVE-2009-4017 that does not require a max_file_uploads limit. My understanding of the current function of RFC-1867 (Form-based File Upload in HTML) is that the list of files and the data for the files is sent before there is any processing of the PHP code in the requested page. (And regardless if the Apache-httpd server is PHP enabled or not?) However, a PHP enabled server controls the response to the POST request and with the max_file_uploads limit it will not process any more files than what it's limited to. My question is: Isn't there a way to go even further and not respond to the file uploads in the POST request until it's needed in the PHP code? I.e. by only asking for file data when an element in $_FILES is requested by the PHP code? For example, when $_FILES[#] or $_FILES[#]["tmp_name"] is accessed in the PHP code (with move_uploaded_file or otherwise), the PHP execution halts and waits for that file to be uploaded, and so on with the other files. That way the vulnerability would be solved and there wouldn't be a need for the max_file_uploads limit. Or is there no two-way communication so that files are submitted one at a time from the client regardless of the response from the server (so that this solution is not possible)? Reproduce code: --------------- Page request with File Upload Expected result: ---------------- Files are only created on the server when they are needed in the PHP code Actual result: -------------- Files are created on the server regardless if they are needed in the PHP code or not -- Edit bug report at http://bugs.php.net/?id=50691&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=50691&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=50691&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=50691&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=50691&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=50691&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=50691&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=50691&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=50691&r=needscript Try newer version: http://bugs.php.net/fix.php?id=50691&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=50691&r=support Expected behavior: http://bugs.php.net/fix.php?id=50691&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=50691&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=50691&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=50691&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50691&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=50691&r=dst IIS Stability: http://bugs.php.net/fix.php?id=50691&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=50691&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=50691&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=50691&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=50691&r=mysqlcfg
