Menu
When I perform stream upload from Java to PHP, I sometimes get a PHP error saying input vars exceeds the limit of max_input_vars.
At first, I did not realize why. Let me first explain:
The files are being uploaded with an approach similar to this:
// get file data from input stream
$putdata = fopen("php://input", "r");
$tmp = tmpfile();
filesize = stream_copy_to_stream ($putdata, $tmp);
fclose ($putdata);
// copy temp stream into destination stream
$target = fopen('myfile.dwg', "w");
fseek($tmp, 0, SEEK_SET);
stream_copy_to_stream($tmp, $target);
fclose($target);
fclose ($tmp);
To get a picture why PHP would give me such a warning, I took a dump of the data being sent:
file_put_contents ('input_vars.log', print_r ($_REQUEST, true));
file_put_contents ('php_input.log', file_get_contents ('php://input'));
Here's the funny part: The file being uploaded is 1,8 megabytes. The resulting logs are:
input_vars.log => 5 megabytes, 90,000 linesphp_input.log => 20 megabytes, 283,000 linesNow the error message suddenly seems legit. The php_input.log just contains bytecode, but the input_vars.log is formatted as such:
Array
(
[filename] => 0018-101-001_67.dwg
[versionId] => 11253
[filetype] => dwg
[‘á‹Úê-8øFj–sÙ/ghÔ÷JJÐWhvPV] => ...
....
)
The first three keys are sent via GET, and all the rest would then be the file data. If I search and count for matches of =>, I get 25,954 matches. I then assume that REQUEST holds 26,000 keys.
Now, over to my question:
I have rased the max_input_vars value several times, and it now holds the value of 30000. Should I just ignore this security setting, and set it has high as possible?
My concern is that PHP removes parts from the REQUEST array if it is larger than 30000, making the file corrupt.
Is there any security problems with setting this value too high? Is there perhaps a better way of uploading files to PHP?
766
PHP $_FILES The global predefined variable $_FILES is an associative array containing items uploaded via HTTP POST method. Uploading a file requires HTTP POST method form with enctype attribute set to multipart/form-data.
PHP allows you to upload single and multiple files through few lines of code only. PHP file upload features allows you to upload binary and text files both. Moreover, you can have the full control over the file to be uploaded through PHP authentication and file operation functions.
The filesize() function in PHP is an inbuilt function which is used to return the size of a specified file. The filesize() function accepts the filename as a parameter and returns the size of a file in bytes on success and False on failure.
Definition and Usage. The move_uploaded_file() function moves an uploaded file to a new destination. Note: This function only works on files uploaded via PHP's HTTP POST upload mechanism. Note: If the destination file already exists, it will be overwritten.
Maybe try setting enable_post_data_reading directive to "false" (or "Off") to prevent PHP from parsing the file body?
BTW if you are using PHP 5.3.9, you should patch the max_input_vars vulnerability.
149
What you want to do, is a PUT upload, you shouldn't handle it as a POST; or - at least - set the Content-Type HTTP header to application/octet-stream
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
