Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-24954

Platform UI is allowing the upload of files bigger than post_max_size

    Details

    • Type: Bug Bug
    • Status: Backlog
    • Priority: Medium Medium
    • Resolution: Unresolved
    • Affects Version/s: 5.0, 2015.09, 1.4.0-beta1
    • Fix Version/s: QA tracked issues
    • Component/s: None
    • Environment:

      Operating System: CentOS 7.0 x64
      PHP Version: 5.4.16
      Database and version: Mariadb 5.5
      Browser (and version): Chrome 45

      Description

      Hi,
      When i upload a binary file bigger than upload_max_filesize, i get no errors and the file is uploaded.
      STEPS TO REPRODUCE
      – Set "post_max_size = 2M" in php.ini
      – Create a content -> Video
      --– Fill in the name (Video1) and upload or drag&drop a video file bigger than 2M
      – See that the file is uploaded (Which is not expected to, since it's bigger than post_max_size)
      – Publish the video
      – See that the video was published without any error

        Issue Links

          Activity

          Paulo Nunes (Inactive) created issue -
          Paulo Nunes (Inactive) made changes -
          Field Original Value New Value
          Link This issue discovered while testing EZP-23979 [ EZP-23979 ]
          Paulo Nunes (Inactive) made changes -
          Status Open [ 1 ] Confirmed [ 10037 ]
          Hide
          Paulo Nunes (Inactive) added a comment -

          I will market as invalid.
          In another testing environment this setting is being honored...

          Show
          Paulo Nunes (Inactive) added a comment - I will market as invalid. In another testing environment this setting is being honored...
          Paulo Nunes (Inactive) made changes -
          Status Confirmed [ 10037 ] Closed [ 6 ]
          Resolution Invalid [ 6 ]
          Hide
          Paulo Nunes (Inactive) added a comment -

          I'll open this issue again, because it's happening consistently both in apache as in nginx 1.4 environments.
          I change php.ini post_max_size to 2 MB and when trying to upload a video file with 5MB, the same is being accepted without any warning or information

          Show
          Paulo Nunes (Inactive) added a comment - I'll open this issue again, because it's happening consistently both in apache as in nginx 1.4 environments. I change php.ini post_max_size to 2 MB and when trying to upload a video file with 5MB, the same is being accepted without any warning or information
          Paulo Nunes (Inactive) made changes -
          Resolution Invalid [ 6 ]
          Status Closed [ 6 ] Reopened [ 4 ]
          Miguel das Neves Jacinto (Inactive) made changes -
          Status Reopened [ 4 ] Confirmed [ 10037 ]
          Hide
          Miguel das Neves Jacinto (Inactive) added a comment -

          +1 Confirmed

          Show
          Miguel das Neves Jacinto (Inactive) added a comment - +1 Confirmed
          André Rømcke made changes -
          Priority High [ 3 ] Medium [ 4 ]
          Hide
          Bertrand Dunogier added a comment - - edited

          As it turns out, the settings have never had any effect on file uploads since version 5.0.

          The reason is that this setting, as well as upload_max_size act upon data in $_POST and $_FILES. As it turns out, since the REST API uses the request body to transport binary file data, it by passes this check. Quoting the PHP doc: "If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty."

          Given that we do not say anywhere that we "support" this setting, I'm not sure we should remove it. The size of the files can still be validated using the size configuration of the Field Definition. From a user's perspective, it's actually simpler.

          Note however that it will affect file upload done via symfony forms when implemented, since those will use standard POST and multipart form-data.

          When it comes to limiting the size of requests sent altogether to the server, there are directives for this in our example / template web server configuration files: https://github.com/ezsystems/ezplatform/blob/master/doc/apache2/vhost.template#L14, https://github.com/ezsystems/ezplatform/blob/master/doc/nginx/vhost.template#L21.

          I'm tempted to disqualify the issue (e.g. "you don't qualify as an issue" ).

          Show
          Bertrand Dunogier added a comment - - edited As it turns out, the settings have never had any effect on file uploads since version 5.0. The reason is that this setting, as well as upload_max_size  act upon data in $_POST  and $_FILES . As it turns out, since the REST API uses the request body to transport binary file data, it by passes this check. Quoting the PHP doc: "If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty." Given that we do not say anywhere that we "support" this setting, I'm not sure we should remove it. The size of the files can still be validated using the size configuration of the Field Definition. From a user's perspective, it's actually simpler. Note however that it will affect file upload done via symfony forms when implemented, since those will use standard POST and multipart form-data. When it comes to limiting the size of requests sent altogether to the server, there are directives for this in our example / template web server configuration files: https://github.com/ezsystems/ezplatform/blob/master/doc/apache2/vhost.template#L14 , https://github.com/ezsystems/ezplatform/blob/master/doc/nginx/vhost.template#L21 . I'm tempted to disqualify the issue (e.g. "you don't qualify as an issue" ).
          Bertrand Dunogier made changes -
          Affects Version/s 1.4.0-beta1 [ 14528 ]
          Affects Version/s 5.0 [ 10300 ]
          Hide
          Paulo Nunes (Inactive) added a comment -

          Ok. But if we assume the disqualification of this as an issue, then we'll might as well remove or update the references to post_max_size in documentation to reflect this fact.
          At least here https://doc.ez.no/display/EZP/Requirements+for+doing+a+normal+installation#Requirementsfordoinganormalinstallation-PHPmaxpostsize
          and here https://doc.ez.no/pages/viewpage.action?pageId=31429536

          Show
          Paulo Nunes (Inactive) added a comment - Ok. But if we assume the disqualification of this as an issue, then we'll might as well remove or update the references to post_max_size in documentation to reflect this fact. At least here https://doc.ez.no/display/EZP/Requirements+for+doing+a+normal+installation#Requirementsfordoinganormalinstallation-PHPmaxpostsize and here https://doc.ez.no/pages/viewpage.action?pageId=31429536
          Hide
          Damien Pobel (Inactive) added a comment -

          You are right the documentation should be updated to indicate the right settings ie LimitRequestBody for Apache and client_max_body_size for Nginx instead of post_max_size.

          Show
          Damien Pobel (Inactive) added a comment - You are right the documentation should be updated to indicate the right settings ie LimitRequestBody for Apache and client_max_body_size for Nginx instead of post_max_size.
          Damien Pobel (Inactive) made changes -
          Status Confirmed [ 10037 ] InputQ [ 10001 ]
          Damien Pobel (Inactive) made changes -
          Component/s Documentation [ 10793 ]
          Component/s Platform UI (Admin UI & Content UI) [ 10301 ]
          Damien Pobel (Inactive) made changes -
          Status InputQ [ 10001 ] Development Review done [ 10028 ]
          Hide
          Paulo Nunes (Inactive) added a comment -

          Unless different opinions are raised, I will close this issue as invalid, as post_max_size is not currently used under ezplatform scope.

          Regarding documentation, the https://doc.ez.no/display/EZP/Requirements+for+doing+a+normal+installation#Requirementsfordoinganormalinstallation-PHPmaxpostsize has already been fixed and requirements references to post_max_size have been removed and LimitRequestBody for Apache and client_max_body_size for Nginx have been referred in https://doc.ez.no/display/DEVELOPER/Avoiding+problems (see EZP-25944)

          Show
          Paulo Nunes (Inactive) added a comment - Unless different opinions are raised, I will close this issue as invalid, as post_max_size is not currently used under ezplatform scope. Regarding documentation, the https://doc.ez.no/display/EZP/Requirements+for+doing+a+normal+installation#Requirementsfordoinganormalinstallation-PHPmaxpostsize has already been fixed and requirements references to post_max_size have been removed and LimitRequestBody for Apache and client_max_body_size for Nginx have been referred in https://doc.ez.no/display/DEVELOPER/Avoiding+problems (see EZP-25944 )
          Paulo Nunes (Inactive) made changes -
          Status Development Review done [ 10028 ] Closed [ 6 ]
          Resolution Invalid [ 6 ]
          Hide
          Bertrand Dunogier added a comment - - edited

          As a matter of fact, I have experienced the post size limitation last week. Creation of an image using PlatformUI was failing.

          I'll try to understand why it didn't happen the first times...

          Let's reopen it.

          Show
          Bertrand Dunogier added a comment - - edited As a matter of fact, I have experienced the post size limitation last week. Creation of an image using PlatformUI was failing. I'll try to understand why it didn't happen the first times... Let's reopen it.
          Bertrand Dunogier made changes -
          Resolution Invalid [ 6 ]
          Status Closed [ 6 ] Reopened [ 4 ]
          Sarah Haïm-Lubczanski (Inactive) made changes -
          Status Reopened [ 4 ] Confirmed [ 10037 ]
          Sarah Haïm-Lubczanski (Inactive) made changes -
          Status Confirmed [ 10037 ] Backlog [ 10000 ]
          Dominika Kurek made changes -
          Component/s Documentation [ 10793 ]
          André Rømcke made changes -
          Link This issue relates to EZP-23774 [ EZP-23774 ]
          Alex Schuster made changes -
          Workflow EZ* Development Workflow [ 96194 ] EZEE Development Workflow [ 108060 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Confirmed Confirmed
          1m 27s 1 Paulo Nunes 12/Oct/15 3:20 PM
          Confirmed Confirmed Closed Closed
          35m 35s 1 Paulo Nunes 12/Oct/15 3:56 PM
          Confirmed Confirmed InputQ InputQ
          5h 51m 1 damien.pobel@ez.no 21/Jun/16 5:31 PM
          InputQ InputQ Development Review done Development Review done
          14s 1 damien.pobel@ez.no 21/Jun/16 5:31 PM
          Development Review done Development Review done Closed Closed
          1d 17h 58m 1 Paulo Nunes 23/Jun/16 11:30 AM
          Closed Closed Reopened Reopened
          253d 20h 16m 2 Bertrand Dunogier 24/Jun/16 12:04 PM
          Reopened Reopened Confirmed Confirmed
          138d 3h 31m 2 sarah.haim-lubczanski@ez.no 09/Nov/16 2:34 PM
          Confirmed Confirmed Backlog Backlog
          4s 1 sarah.haim-lubczanski@ez.no 09/Nov/16 2:34 PM

            People

            • Assignee:
              Unassigned
              Reporter:
              Paulo Nunes (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: