Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-24954

Platform UI is allowing the upload of files bigger than post_max_size

    Details

    • Type: Bug Bug
    • Status: Backlog
    • Priority: Medium Medium
    • Resolution: Unresolved
    • Affects Version/s: 5.0, 2015.09, 1.4.0-beta1
    • Fix Version/s: QA tracked issues
    • Component/s: None
    • Environment:

      Operating System: CentOS 7.0 x64
      PHP Version: 5.4.16
      Database and version: Mariadb 5.5
      Browser (and version): Chrome 45

      Description

      Hi,
      When i upload a binary file bigger than upload_max_filesize, i get no errors and the file is uploaded.
      STEPS TO REPRODUCE
      – Set "post_max_size = 2M" in php.ini
      – Create a content -> Video
      --– Fill in the name (Video1) and upload or drag&drop a video file bigger than 2M
      – See that the file is uploaded (Which is not expected to, since it's bigger than post_max_size)
      – Publish the video
      – See that the video was published without any error

        Issue Links

          Activity

          Hide
          Paulo Nunes (Inactive) added a comment -

          I will market as invalid.
          In another testing environment this setting is being honored...

          Show
          Paulo Nunes (Inactive) added a comment - I will market as invalid. In another testing environment this setting is being honored...
          Hide
          Paulo Nunes (Inactive) added a comment -

          I'll open this issue again, because it's happening consistently both in apache as in nginx 1.4 environments.
          I change php.ini post_max_size to 2 MB and when trying to upload a video file with 5MB, the same is being accepted without any warning or information

          Show
          Paulo Nunes (Inactive) added a comment - I'll open this issue again, because it's happening consistently both in apache as in nginx 1.4 environments. I change php.ini post_max_size to 2 MB and when trying to upload a video file with 5MB, the same is being accepted without any warning or information
          Hide
          Miguel das Neves Jacinto (Inactive) added a comment -

          +1 Confirmed

          Show
          Miguel das Neves Jacinto (Inactive) added a comment - +1 Confirmed
          Hide
          Bertrand Dunogier added a comment - - edited

          As it turns out, the settings have never had any effect on file uploads since version 5.0.

          The reason is that this setting, as well as upload_max_size act upon data in $_POST and $_FILES. As it turns out, since the REST API uses the request body to transport binary file data, it by passes this check. Quoting the PHP doc: "If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty."

          Given that we do not say anywhere that we "support" this setting, I'm not sure we should remove it. The size of the files can still be validated using the size configuration of the Field Definition. From a user's perspective, it's actually simpler.

          Note however that it will affect file upload done via symfony forms when implemented, since those will use standard POST and multipart form-data.

          When it comes to limiting the size of requests sent altogether to the server, there are directives for this in our example / template web server configuration files: https://github.com/ezsystems/ezplatform/blob/master/doc/apache2/vhost.template#L14, https://github.com/ezsystems/ezplatform/blob/master/doc/nginx/vhost.template#L21.

          I'm tempted to disqualify the issue (e.g. "you don't qualify as an issue" ).

          Show
          Bertrand Dunogier added a comment - - edited As it turns out, the settings have never had any effect on file uploads since version 5.0. The reason is that this setting, as well as upload_max_size  act upon data in $_POST  and $_FILES . As it turns out, since the REST API uses the request body to transport binary file data, it by passes this check. Quoting the PHP doc: "If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty." Given that we do not say anywhere that we "support" this setting, I'm not sure we should remove it. The size of the files can still be validated using the size configuration of the Field Definition. From a user's perspective, it's actually simpler. Note however that it will affect file upload done via symfony forms when implemented, since those will use standard POST and multipart form-data. When it comes to limiting the size of requests sent altogether to the server, there are directives for this in our example / template web server configuration files: https://github.com/ezsystems/ezplatform/blob/master/doc/apache2/vhost.template#L14 , https://github.com/ezsystems/ezplatform/blob/master/doc/nginx/vhost.template#L21 . I'm tempted to disqualify the issue (e.g. "you don't qualify as an issue" ).
          Hide
          Paulo Nunes (Inactive) added a comment -

          Ok. But if we assume the disqualification of this as an issue, then we'll might as well remove or update the references to post_max_size in documentation to reflect this fact.
          At least here https://doc.ez.no/display/EZP/Requirements+for+doing+a+normal+installation#Requirementsfordoinganormalinstallation-PHPmaxpostsize
          and here https://doc.ez.no/pages/viewpage.action?pageId=31429536

          Show
          Paulo Nunes (Inactive) added a comment - Ok. But if we assume the disqualification of this as an issue, then we'll might as well remove or update the references to post_max_size in documentation to reflect this fact. At least here https://doc.ez.no/display/EZP/Requirements+for+doing+a+normal+installation#Requirementsfordoinganormalinstallation-PHPmaxpostsize and here https://doc.ez.no/pages/viewpage.action?pageId=31429536
          Hide
          Damien Pobel (Inactive) added a comment -

          You are right the documentation should be updated to indicate the right settings ie LimitRequestBody for Apache and client_max_body_size for Nginx instead of post_max_size.

          Show
          Damien Pobel (Inactive) added a comment - You are right the documentation should be updated to indicate the right settings ie LimitRequestBody for Apache and client_max_body_size for Nginx instead of post_max_size.
          Hide
          Paulo Nunes (Inactive) added a comment -

          Unless different opinions are raised, I will close this issue as invalid, as post_max_size is not currently used under ezplatform scope.

          Regarding documentation, the https://doc.ez.no/display/EZP/Requirements+for+doing+a+normal+installation#Requirementsfordoinganormalinstallation-PHPmaxpostsize has already been fixed and requirements references to post_max_size have been removed and LimitRequestBody for Apache and client_max_body_size for Nginx have been referred in https://doc.ez.no/display/DEVELOPER/Avoiding+problems (see EZP-25944)

          Show
          Paulo Nunes (Inactive) added a comment - Unless different opinions are raised, I will close this issue as invalid, as post_max_size is not currently used under ezplatform scope. Regarding documentation, the https://doc.ez.no/display/EZP/Requirements+for+doing+a+normal+installation#Requirementsfordoinganormalinstallation-PHPmaxpostsize has already been fixed and requirements references to post_max_size have been removed and LimitRequestBody for Apache and client_max_body_size for Nginx have been referred in https://doc.ez.no/display/DEVELOPER/Avoiding+problems (see EZP-25944 )
          Hide
          Bertrand Dunogier added a comment - - edited

          As a matter of fact, I have experienced the post size limitation last week. Creation of an image using PlatformUI was failing.

          I'll try to understand why it didn't happen the first times...

          Let's reopen it.

          Show
          Bertrand Dunogier added a comment - - edited As a matter of fact, I have experienced the post size limitation last week. Creation of an image using PlatformUI was failing. I'll try to understand why it didn't happen the first times... Let's reopen it.

            People

            • Assignee:
              Unassigned
              Reporter:
              Paulo Nunes (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: