Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
2MB is probably too low and it can be set at something like 20MB, but from my understanding setting it low enough will help prevent DoS attacks. If we change it to something larger, I'm not sure exactly what would be the effect of changing this default for mass-hosting providers where they can have thousands of Wordpress/Drupal/etc. setups on a single node. Changing from 2MB to 20MB for all requests may have quite an effect if there is an attack. Surely all those providers have teams dedicated to setting the right limit, but that shouldn't stop us from using a safe default. What is unpractical with upload_max_filesize and post_max_size though is that we can't set the limit for each script, because it affects how PHP is parsing the POST body before the script is even parsed. Unless at one point we provide some kind of option to set ini literals from within a script file before the request is processed (eg. declare(post_max_size=256M) or something like that), the only option is to use the web server to change the setting. That way most endpoints will benefit from a low limit, and only the targeted scripts or directories will have a higher limit. For example with Apache something like that will only change the limit for the parts of the admin where it's needed, and when the HTTP client has a cookie: php_value post_max_size 256M php_value upload_max_filesize 256M I commented with this snippet on relevant documentation pages, hopefully it will help people looking for that kind of info to do something a bit better than to set this limit for the whole server. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
> We spend a lot of time to increase limits for uploads file in PHP. For a lot of time, I assume you are using a web host that does not allow modification to INI file directly or using INI functions, and you have to contact your host provider for that change. Otherwise, it is not that difficult to apply that change. Plus, this question would have been answered in a php forum, like phpearth. > I'm not against increasing the sizes, but 50MB might be too much. It is possible on userland as well as configuration level. I don't feel like it is worth doing. It will break some websites. Most of the projects go with default options of upload; thus, doing so will make issues for such projects. > By the Way... This needs an RFC right? This change should be made with an rfc. Because it will impact a majority of projects, and usually devs doant have to have that huge limit. Plus, there are razed further concerns that On 9/10/22, Yasuo Ohgaki wrote: > 2022年9月10日(土) 23:23 David Gebler : > >> On Sat, Sep 10, 2022 at 3:05 PM juan carlos morales < >> dev.juan.mora...@gmail.com> wrote: >> >>> I also agree that increasing the size to something bigger than 8M >>> might not be a good idea; I can imagine that a value bigger than 8M >>> (like 50M) will cause an impact in hosting platforms specially, which >>> will be forced to always change the php's default values to a lower >>> one, because of potential DoS Attacks. >>> >>> Default settings should have a reasonable level of security in mind. >>> >> >> Do these settings actually have any impact in respect of DoS attacks? As >> far as I'm aware, neither post_max_size nor upload_max_filesize do >> anything >> to prevent or terminate processes where the client sends data exceeding >> these limits, that's something you should handle in your webserver. >> > > For example, password hash DoS attack was made possible because PHP allows > 8MB post data. > > https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/ > > IIRC, Drupal has a security release for this. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
2022年9月10日(土) 23:23 David Gebler : > On Sat, Sep 10, 2022 at 3:05 PM juan carlos morales < > dev.juan.mora...@gmail.com> wrote: > >> I also agree that increasing the size to something bigger than 8M >> might not be a good idea; I can imagine that a value bigger than 8M >> (like 50M) will cause an impact in hosting platforms specially, which >> will be forced to always change the php's default values to a lower >> one, because of potential DoS Attacks. >> >> Default settings should have a reasonable level of security in mind. >> > > Do these settings actually have any impact in respect of DoS attacks? As > far as I'm aware, neither post_max_size nor upload_max_filesize do anything > to prevent or terminate processes where the client sends data exceeding > these limits, that's something you should handle in your webserver. > For example, password hash DoS attack was made possible because PHP allows 8MB post data. https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/ IIRC, Drupal has a security release for this. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
On Sat, Sep 10, 2022 at 3:05 PM juan carlos morales < dev.juan.mora...@gmail.com> wrote: > I also agree that increasing the size to something bigger than 8M > might not be a good idea; I can imagine that a value bigger than 8M > (like 50M) will cause an impact in hosting platforms specially, which > will be forced to always change the php's default values to a lower > one, because of potential DoS Attacks. > > Default settings should have a reasonable level of security in mind. > Do these settings actually have any impact in respect of DoS attacks? As far as I'm aware, neither post_max_size nor upload_max_filesize do anything to prevent or terminate processes where the client sends data exceeding these limits, that's something you should handle in your webserver.
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
I also agree that increasing the size to something bigger than 8M might not be a good idea; I can imagine that a value bigger than 8M (like 50M) will cause an impact in hosting platforms specially, which will be forced to always change the php's default values to a lower one, because of potential DoS Attacks. Default settings should have a reasonable level of security in mind. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
On Sat, 10 Sept 2022 at 11:32, Yasuo Ohgaki wrote: > > 2022年9月7日(水) 22:58 Misha : > > > Hello everyone, > > > > We spend a lot of time to increase limits for uploads file in PHP. Can we > > increase it in php.ini? > > > > Current value is 2Mb. Its so small value, when photo image can take 8Mb on > > iPhone X. > > We should increase it to 50Mb, because DevOps engineers do useless work > > trying to change it. > > > > I have prepared PR for it https://github.com/php/php-src/pull/9315 > > > > Take a look and approve it please. > > > > Thanks! > > > > -- > > Best regards, Michail > > > > > I can understand the motivation, but I am against the change. > > To increase uploaded file max size, POST max size must be increased too. > For 99.99% entry points do not need 50MB POST max size. > and larger POST max size increases DoS risks. > > Default upload file max size and POST max size should be small enough value > for better security. > IMHO, PHP script that handles large POST data should increase these > settings. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net If I'm not mistaken, even the memory_limit needs to be increased when the post_max_size directive is larger. The memory_limit needs to be larger than post_max_size. And the post_max_size must be slightly larger than upload_max_size. memory_limit > post_max_size > upload_max_size -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
Le 10/09/2022 à 11:31, Yasuo Ohgaki a écrit : 2022年9月7日(水) 22:58 Misha : I can understand the motivation, but I am against the change. To increase uploaded file max size, POST max size must be increased too. For 99.99% entry points do not need 50MB POST max size. and larger POST max size increases DoS risks. Default upload file max size and POST max size should be small enough value for better security. IMHO, PHP script that handles large POST data should increase these settings. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net Hello, Where I work we use a client side component that split files, send them chunked, handle progress, resuming etc... along with a server side PHP component. This method was originally developed for three reasons: allow huge file uploads (videos), give the user a progress bar, and more importantly, be able to bypass POST max size restrictions in production environments we cannot configure because they're managed by a remote external admin team. My point is, I don't care about default limit remaining 2MB personally because we mostly work on products in which chunking files is the default. Anyway you also will have limit set at the HTTPd level as well if you want to be able to use it fully (in my original case the most limiting layer in the HTTP stack was Nginx at the time) having every layer in your stack working nicely together regarding POST size is not something you will always have in production environment that you don't fully manage yourself. I think that raising the limit to something between 10MB and 20MB is something reasonable so that people like me in the future won't be forced to develop a client side file chunker for most use (phone photos, some PDF files, etc... most commonly), but raising higher may be a security issue. My phone takes 4k pics andthey site between 4MB and 10MB, I think that the default limit doesn't have to be much more than this. As soon as you want to let your users upload bigger files, relying on a single HTTP POST seems dangerous for all of ergonomics, security and performance. Regards, -- Pierre -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
2022年9月7日(水) 22:58 Misha : > Hello everyone, > > We spend a lot of time to increase limits for uploads file in PHP. Can we > increase it in php.ini? > > Current value is 2Mb. Its so small value, when photo image can take 8Mb on > iPhone X. > We should increase it to 50Mb, because DevOps engineers do useless work > trying to change it. > > I have prepared PR for it https://github.com/php/php-src/pull/9315 > > Take a look and approve it please. > > Thanks! > > -- > Best regards, Michail > I can understand the motivation, but I am against the change. To increase uploaded file max size, POST max size must be increased too. For 99.99% entry points do not need 50MB POST max size. and larger POST max size increases DoS risks. Default upload file max size and POST max size should be small enough value for better security. IMHO, PHP script that handles large POST data should increase these settings. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
I have it set to 32MB and nobody has complained yet. I think it might be a sweet spot between security and usability out of the box.
Re: [PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
On Wed, Sep 7, 2022 at 2:58 PM Misha wrote: > Hello everyone, > > We spend a lot of time to increase limits for uploads file in PHP. Can we > increase it in php.ini? > > Current value is 2Mb. Its so small value, when photo image can take 8Mb on > iPhone X. > We should increase it to 50Mb, because DevOps engineers do useless work > trying to change it. > > I think the problem is that too high value can potentially result in DoS if you have for example some API that might be sensitive to it. I think this should be really handled on web server though and Apache httpd [1] as well as nginx [2] have the default limit set to 1MB. The only problem is that Apache introduced that limit default quite recently (2.4.53) so there are likely still lots of users where this value matters more if they don't tweak defaults. I guess it might be wise to do much smaller increase and start maybe somewher closer to 8MB or maybe even wait a little bit longer till most users have safe defaults on web server. [1] https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody [2] http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size Regards Jakub
[PHP-DEV] Increase maximum size of an uploaded file to 50Mbyte
Hello everyone, We spend a lot of time to increase limits for uploads file in PHP. Can we increase it in php.ini? Current value is 2Mb. Its so small value, when photo image can take 8Mb on iPhone X. We should increase it to 50Mb, because DevOps engineers do useless work trying to change it. I have prepared PR for it https://github.com/php/php-src/pull/9315 Take a look and approve it please. Thanks! -- Best regards, Michail